September 13, 2006 9:54 AM PDT

Third time a charm for IE patch?

Microsoft has issued a third version of a troubled Internet Explorer patch, aiming to fix a bug in an earlier update that could be exploited to hijack Windows PCs.

The original MS06-042 patch, released on Aug. 8, introduced not one, but two new security holes. Microsoft addressed one flaw in an updated version of the patch released Aug. 24 and dealt with the second flaw in the third version released Tuesday, Tony Chor, a group program manager on the IE team at Microsoft, wrote on a corporate blog.

MS06-042, a cumulative security update for the widely used Web browser, was one of a dozen security updates delivered last month and was meant to repair eight flaws. Microsoft tagged the update "critical," its most severe rating.

The patch now fixes 10 flaws, including two introduced by earlier versions of the update. The first bug affected IE 6.0 with Service Pack 1 and could be exploited by remote attackers to commandeer a Windows PC. The second flaw is similar, but affects IE 5.01 on Windows 2000, IE 6.0 Service Pack 1 (in a different location), and IE in the original release of Windows Server 2003.

"This update cycle has not been an example of our best work, but...we have used this experience to improve our processes and increase transparency to ensure all of our releases are of the quality we expect and our customers deserve," Chor wrote.

This is one of the first times a Microsoft security patch has introduced a new vulnerability, leaving customers in a "darned if you do and darned if you don't position," said Mark Shavlik, chief executive of patch management company Shavlik Technologies.

"A user who has either the first or second version of MS06-042 installed may get hacked if they visit an evil Web site with Internet Explorer," Shavlik said in an e-mailed statement.

The third version of the IE patch was released alongside three new Microsoft security updates in the company's regular monthly update cycle. The company also issued a new version of Windows patch MS06-040 to fix a problem some people experienced with the original update on 64-bit and 32-bit versions of Windows Server 2003 with Service Pack 1 and Windows XP Professional x64 Edition. The company last month made available a "hotfix" to temporarily fix the glitch.

The updates are available through all of Microsoft's regular release channels, including Windows Update, Automatic Update and Download Center, and via patch deployment tools such as Windows Server Update Services. Microsoft recommends that all those affected install the new software immediately.

See more CNET content tagged:
Shavlik Technologies, flaw, Microsoft Windows Server, Microsoft Internet Explorer, Microsoft Windows Server 2003


Join the conversation!
Add your comment
The sad thing is that this is not news. Just standard MS nonsense.

I can't believe people are stupid enough to support this incompetant company.
Posted by qwerty75 (1164 comments )
Reply Link Flag
Microsoft should fix IE permanently
by removing it from Windows and bundling Firefox with their OS.

That would fix a ton of Windows security problems and give MS
someone to blame when Windows has browser problems.

IE outlived its usefulness years ago and is now just an albatross
around Windows' neck.
Posted by rcrusoe (1305 comments )
Reply Link Flag
The richest man in the world...
...cannot figure out how to fix his products, or hire someone who can?

What's going on here?!
Posted by Slooze (15 comments )
Reply Link Flag
They need to put IE to rest
Software labelled v1.0 is usually full of bugs and not entirely complete as vendors rush to release their first product on time.

Software labelled v2.0 usually includes most of what didn't make it out the door in v1.0 as well as fixes for major bugs in v1.0.

Software labelled v3.0 usually fixes major bugs with the new stuff released in v2.0 as well as fixing most of the minor bugs remaining from the older v.1 which didn't make it into v2.0.

Thus it's often considered that from v3.0, the product is stable.

However in Microsoft's case... they're already up to v6.x and still have ONE BIG SECURITY FLAW AFTER ANOTHER.

That's understandable for Microsoft... but what I CANNOT understand is why so many people continue to use such a buggered up piece of trash which they call Internet Explorer!!!

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.