August 24, 2006 12:44 PM PDT

Microsoft fixes troubled IE patch

Microsoft has released an updated version of a faulty Internet Explorer patch to fix a serious security flaw introduced by the original version.

The flaw was discovered after users of IE 6 with Service Pack 1 reported that the browser crashed when certain Web pages were viewed. That crash turned out to be the result of a buffer overrun vulnerability introduced by the security update, Microsoft said earlier this week. The flaw could be exploited by cyberattackers, it said.

"The revised version (of the update)...fully resolves the security vulnerability," a Microsoft representative said in a statement sent via e-mail on Thursday.

Timeline

Aug. 8: Microsoft issues MS06-042 update for IE.

Aug. 15: Microsoft confirms the patch can cause browser crashes. Sets date of Aug. 22 for release of replacement patch.

Aug. 22: Distribution problems delay re-release of patch. eEye and Microsoft say browser crashes in original bulletin constitute a serious security flaw.

Aug. 24: Replacement MS06-042 update delivered.

The company originally set Tuesday for the release of a new version of the MS06-042 update that would fix the browser crash problem. However, it postponed delivery because of distribution problems. At the same time, eEye Digital Security disclosed that the crash was actually an exploitable security flaw, sending Microsoft scrambling to push the fixed patch out as soon as possible.

"Certainly, those are two events that we wish had not occurred, but we are learning from those situations, and we're going to work to make sure they don't happen again," Stephen Toulouse, a Microsoft Security Response program manager, said in an interview.

Microsoft sent out the initial MS06-042 security bulletin on Aug. 8, as part of its monthly patch cycle. The update, deemed "critical" by Microsoft, addresses eight flaws in the widely used browser. It is one of a dozen security updates in this month's Patch Tuesday batch.

"Everything with this Microsoft IE debacle was mistake after mistake," said Marc Maiffret, chief technology officer at eEye Digital Security, which publicly disclosed the security bug introduced by Microsoft's patch. "I would have to question who was in charge of strategy at Microsoft for the handling of this situation."

The patch trouble and the security issue only have an impact on users of IE 6.0 with SP1, which may run on Windows XP or Windows 2000. They do not affect other versions of IE, such as that in Windows XP with SP2 or in Windows Server 2003, Microsoft said. The company is urging affected users to download and install the new patch.

Already, the team that develops IE has documented the chain of events, including the code created by the developer who crafted the initial patch, Toulouse said. "They changed some of their tools and procedures," he said.

The developer responsible for the gaffe can expect to be held accountable, he added. "There are definite ramifications for situations like this," he said.

However, it is unclear what those action will be taken. "It is very complex," Toulouse said. An investigation into the error is ongoing.

There has been some debate about the reason behind the delay to the updated patch. Microsoft postponed it because of an error that would prevent certain patch management applications from distributing it, Toulouse said. The error was in the associated ".cab" file that contains update details used by those applications.

The patch would have been available on Windows Update and through patch management applications that do not use the ".cab" file, but users of Microsoft's patch management tools and other third-party tools would not have been able to deploy it, he said. These tools are used by organizations to do automated patch installations on multiple computers.

"Our goal is to protect all customers at the same time, and if we run into a situation where there is going to be a significant number of customers who are unable to deploy the update, we can't leave those customers behind," Toulouse said.

See more CNET content tagged:
Stephen Toulouse, eEye Digital Security, security flaw, patch, flaw

3 comments

Join the conversation!
Add your comment
come on!
Wow. First release an unvetted patch for a security issue in the least
secure browser in the world. Then later discover a buffer overrun
issue that opens a serious security threat IN THE PATCH??? A
*BUFFER OVERRUN* issue? IN THE PATCH??

I knew Micro$loth was incompetant, but this is getting silly now.
Anyone dumb enough to trust this trashware from Redmond
deserves what's coming to them.
Posted by Dalkorian (3000 comments )
Reply Link Flag
and don't ya just love it when...
it's always user error from every sites CEO's.
Duhhh, everytime I have a problem, the first thing I do is go to the Windows updates pages and look for their updates, as that is usually where the problem lies. You have to wait out about 3 patches for them to get it right.
Rule no.1]NEVER and I mean NEVER believe a tech guy trying to convince you it's your error.
Posted by ebgirl (2 comments )
Link Flag
Say a prayer for the Windows users!!
Geeze,
Patch 1, patch 2 patch 3???

Do we have a winner yet??
Posted by ittech1 (11 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.