August 22, 2006 5:41 PM PDT
IE patch carries security bug
The vulnerability could let miscreants hijack a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, Microsoft said in a security advisory published on Tuesday. The flaw lies in the way IE handles long Web addresses and could be exploited by luring users to specially crafted Web sites, according to the advisory.
"An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system," Microsoft said in its advisory. "We are not aware of attacks that try to use the reported vulnerability."
Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly patch cycle. The update, deemed "critical" by Microsoft, addresses eight flaws in the ubiquitous browser. It is one of a dozen security updates that Microsoft released this month on Patch Tuesday.
The company planned to release a new version of the MS06-042 update on Tuesday to fix a problem with browser crashes reported by some users after installing the original fix. That crash, it turns out, is the result of a "buffer overrun" flaw introduced by the security update, Microsoft said. The flaw could be exploited by cyberattackers.
Further compounding the troubles with the IE patch, Microsoft postponed the release of the updated fix at the eleventh hour because of an undisclosed problem discovered during testing, Stephen Toulouse, a Microsoft Security Response program manager, wrote on a corporate blog Tuesday.
"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse wrote, adding that the issue was discovered late Monday night.
As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless of their patching status. Microsoft advises users to install the patch and to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the browser.
The security issue does not impact other versions of IE, such as the version in Windows XP with SP2 or on Windows Server 2003, Microsoft said.
This is not the only patch Microsoft issued this month that is causing trouble. On Thursday, the company released a "hotfix" for a fault in security patch MS06-040. The fix addresses the problem of programs failing if they request one gigabyte or more of information on a patched system.
An update to the MS06-042 update is still in the works, but Microsoft could not say when it would be ready.
12 commentsJoin the conversation! Add your comment