IE patch carries security bug

There's more trouble with Microsoft's latest Internet Explorer patch: It introduces a serious new security flaw on some Windows systems.

The vulnerability could let miscreants hijack a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, Microsoft said in a security advisory published on Tuesday. The flaw lies in the way IE handles long Web addresses and could be exploited by luring users to specially crafted Web sites, according to the advisory.

"An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system," Microsoft said in its advisory. "We are not aware of attacks that try to use the reported vulnerability."

Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly patch cycle. The update, deemed "critical" by Microsoft, addresses eight flaws in the ubiquitous browser. It is one of a dozen security updates that Microsoft released this month on Patch Tuesday.

The company planned to release a new version of the MS06-042 update on Tuesday to fix a problem with browser crashes reported by some users after installing the original fix. That crash, it turns out, is the result of a "buffer overrun" flaw introduced by the security update, Microsoft said. The flaw could be exploited by cyberattackers.

Further compounding the troubles with the IE patch, Microsoft postponed the release of the updated fix at the eleventh hour because of an undisclosed problem discovered during testing, Stephen Toulouse, a Microsoft Security Response program manager, wrote on a corporate blog Tuesday.

"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse wrote, adding that the issue was discovered late Monday night.

As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless of their patching status. Microsoft advises users to install the patch and to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the browser.

The security issue does not impact other versions of IE, such as the version in Windows XP with SP2 or on Windows Server 2003, Microsoft said.

This is not the only patch Microsoft issued this month that is causing trouble. On Thursday, the company released a "hotfix" for a fault in security patch MS06-040. The fix addresses the problem of programs failing if they request one gigabyte or more of information on a patched system.

An update to the MS06-042 update is still in the works, but Microsoft could not say when it would be ready.

[8ball629]

Hah...

Whats new?

[Jesus#2]

do...

really need to say anything.. I mean.. come on. How much can the
lemmings take before they figure out that their ship is sinking....

[rcrusoe]

Is it just me?

Or does this same "IE has a security bug" story show up about every
six weeks.

[Seaspray0]

nope

No, it's not you. Cnet reports tech news... as much as they can. This is the second article concerning this same bug. Since I do not run IE 6 or have programs calling over 1 GB of memory (more than what my PC has), I'm not too concerned. These bugs will only affect a very small percentage of windows users, but it is still tech news and cnet has the right to report it.

[paulsecic]

I predict

Vista will be delayed to 2008!

[n3td3v]

the situation with Microsoft is dreadful

the situation with Microsoft is dreadful for everyone but the security companies can't get enough of these f-ups because there is so much money to be made! i don't mean this situation, i mean "the situation"...spanning over many years with Microsoft's failures at every level at every turn to be secure. the security companies in a million years would never tell anyone to move to Linux because they would straight away lose money. But thats what the security companies should be doing, but it will never happen, the security companies love Microsoft. I mean only last week or so Symantec was getting nervous because Microsoft is planning to shut Symantec out of the Windows Vista kernal. security companies are ment to have our best interest in mind, but all they have is Microsoft Windows in mind the most insecure operating system in the world. In short, if everyone moved to Linux, Symantec etc would be out of a job... and thats the last thing they want is everyone to move to Linux....so the only people you'll ever see telling you to move to Linux, will be people like me in the bottom of news articles, because the security companies haven't got it in them to get it out them. Move to Linux folks! <--- the big bad words Symantec and others don't want to mutter...but should be. regards.

[Seaspray0]

And the diference would be?

Linux gets attacked by hackers as well. Linux also provides security patches and updates on a regular basis. Linux does not have a spotless record of patches working perfectly; some patches for linux do cause issues. Is this any different? "Hey, everybody, you should move to my operating sytem because yours isn't perfect!". You neglect to mention that the other one isn't perfect either.

[KsprayDad]

Update your freaking system

Only affects those that are still running SP1 ...

You deserve it.

[Dalkorian]

agreed

Only affects those that are still running Winblows - you deserve it.

[gerardogerardo80]

n3td3v Don't talk to wall. People need to think not to be told what to do

Who ever saw the mess with Windows after 2003 Blaster debacle, should had come to the conclusion, that we had a real problem and arrived to the following conclusions.

There was no use going back to Microsoft to solve the problems a Lemon is alwasys a Lemon and you won't get an orange out of a lemon.

Symantech is out for profits and will profit out of our ignorance, fear is excellent to control human behaivor and buying out of fear is the best seller of all.

If people don't see that they need an alternative to Windows, don't worry, they'll pay the price, you can use Linux and have no problems, I have 10 machines and 15 extra hard drives and I test almost every version of Linux as soon as they come out of oven, just to know my best choices. All this thanks to Windows. If Windows had worked perfect out of the box, I would never got into all this testing and experimenting with Linux that I enjoy very much.

Microsoft is only partially responsible, people want their Windows, I have spent hours talking and
showing friends the benefits of Linux no one has crossed the line, only one is keeping a copy and told me that if one day his XP goes kaput he will try Linux.

Personal responsability is the, you have to protect your self, if you wait for the police, it will be too late, you'll be dead. Don't even think about the court system they are sold to big layers, politicians and corporations. It is up to the consumer. The day consumers boicot Dell and HP and demand a safe OS, that will be the day.

Until I see that day, I enjoy my Linux, I don't buy any MS, Computer Assc. Symantech etc products. I don't buy computers with pre-installed Windows. No Dells and no HPs.

We have the power.... but choose not to use it we deserve Windows.

[13stones]

Linux

See you need to look at it from a different perspective! When a company "X" we'll call it brings out a new something, call it"Y", then we the consumers-"Z" are supposed to automatically "KNOW" what X is talking about without any real explaination of what Y is or does and how it would do what it does. And there is the problem of how to get Y if we for some unknown reason actully want Y.
I'v heard people talk about LINUX and say BAD BADDER and BADDEST stuff about it. Now you say we ought to get it but when where and how. No explaination of that. Inerta is that Windows is already in the machines we buy (UNLESS we go Apple)which I also have in my home.No one explains how to get LINUX (where do you buy? it anyway) and replace Windows without loosing everything. Get the point,yet??

[Macsaresafer]

First they need to build awareness.

Linux gains ground through guerilla marketing, and that's what's
going on here. Eventually, enough people should be aware of it
that computer resellers can sell it pre-installed. The debate in
the future should be Mac or Linux, with Windows being
relagated to legacy status.

You can already see it with people switching to Mac. They're
getting the new Intel Macs secure in the knowledge that they can
boot into Windows if they really need to, but then rarely using it.
Linux will get there too, but it will take time.