IE patch carries security bug

By Joris Evers
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
- Google
- Newsvine
- Yahoo! Bookmarks
- Twitter
- Stumbleupon
E-mail
Print

Related Stories: Microsoft fixes faulty security patch
August 18, 2006; Microsoft patch can cause IE trouble
August 15, 2006; Another hefty patch month for Microsoft
August 8, 2006

There's more trouble with Microsoft's latest Internet Explorer patch: It introduces a serious new security flaw on some Windows systems.

The vulnerability could let miscreants hijack a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, Microsoft said in a security advisory published on Tuesday. The flaw lies in the way IE handles long Web addresses and could be exploited by luring users to specially crafted Web sites, according to the advisory.

"An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system," Microsoft said in its advisory. "We are not aware of attacks that try to use the reported vulnerability."

Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly patch cycle. The update, deemed "critical" by Microsoft, addresses eight flaws in the ubiquitous browser. It is one of a dozen security updates that Microsoft released this month on Patch Tuesday.

The company planned to release a new version of the MS06-042 update on Tuesday to fix a problem with browser crashes reported by some users after installing the original fix. That crash, it turns out, is the result of a "buffer overrun" flaw introduced by the security update, Microsoft said. The flaw could be exploited by cyberattackers.

Further compounding the troubles with the IE patch, Microsoft postponed the release of the updated fix at the eleventh hour because of an undisclosed problem discovered during testing, Stephen Toulouse, a Microsoft Security Response program manager, wrote on a corporate blog Tuesday.

"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse wrote, adding that the issue was discovered late Monday night.

As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless of their patching status. Microsoft advises users to install the patch and to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the browser.

The security issue does not impact other versions of IE, such as the version in Windows XP with SP2 or on Windows Server 2003, Microsoft said.

This is not the only patch Microsoft issued this month that is causing trouble. On Thursday, the company released a "hotfix" for a fault in security patch MS06-040. The fix addresses the problem of programs failing if they request one gigabyte or more of information on a patched system.

An update to the MS06-042 update is still in the works, but Microsoft could not say when it would be ready.

See more CNET content tagged:
security update, Stephen Toulouse, security bug, Microsoft Internet Explorer 6, Microsoft Internet Explorer

Add a Comment (Log in or register) 14 comments

Hah...
by 8ball629 August 22, 2006 7:57 PM PDT: Whats new?; Reply to this comment

do...
by Jesus#2 August 23, 2006 5:25 AM PDT: really need to say anything.. I mean.. come on. How much can the
lemmings take before they figure out that their ship is sinking....; Reply to this comment

Is it just me?
by rcrusoe August 23, 2006 5:48 AM PDT: Or does this same "IE has a security bug" story show up about every
six weeks.; Reply to this comment View all 2 replies
Processing

the situation with Microsoft is dreadful
by n3td3v August 23, 2006 6:30 AM PDT: the situation with Microsoft is dreadful for everyone but the security companies can't get enough of these f-ups because there is so much money to be made! i don't mean this situation, i mean "the situation"...spanning over many years with Microsoft's failures at every level at every turn to be secure. the security companies in a million years would never tell anyone to move to Linux because they would straight away lose money. But thats what the security companies should be doing, but it will never happen, the security companies love Microsoft. I mean only last week or so Symantec was getting nervous because Microsoft is planning to shut Symantec out of the Windows Vista kernal. security companies are ment to have our best interest in mind, but all they have is Microsoft Windows in mind the most insecure operating system in the world. In short, if everyone moved to Linux, Symantec etc would be out of a job... and thats the last thing they want is everyone to move to Linux....so the only people you'll ever see telling you to move to Linux, will be people like me in the bottom of news articles, because the security companies haven't got it in them to get it out them. Move to Linux folks! <--- the big bad words Symantec and others don't want to mutter...but should be. regards.; Reply to this comment View reply
Processing

Update your freaking system
by KsprayDad August 23, 2006 6:44 AM PDT: Only affects those that are still running SP1 ...

You deserve it.; Reply to this comment View reply
Processing

n3td3v Don't talk to wall. People need to think not to be told what to do
by gerardogerardo80 August 23, 2006 9:59 AM PDT: Who ever saw the mess with Windows after 2003 Blaster debacle, should had come to the conclusion, that we had a real problem and arrived to the following conclusions.

There was no use going back to Microsoft to solve the problems a Lemon is alwasys a Lemon and you won't get an orange out of a lemon.

Symantech is out for profits and will profit out of our ignorance, fear is excellent to control human behaivor and buying out of fear is the best seller of all.

If people don't see that they need an alternative to Windows, don't worry, they'll pay the price, you can use Linux and have no problems, I have 10 machines and 15 extra hard drives and I test almost every version of Linux as soon as they come out of oven, just to know my best choices. All this thanks to Windows. If Windows had worked perfect out of the box, I would never got into all this testing and experimenting with Linux that I enjoy very much.

Microsoft is only partially responsible, people want their Windows, I have spent hours talking and
showing friends the benefits of Linux no one has crossed the line, only one is keeping a copy and told me that if one day his XP goes kaput he will try Linux.

Personal responsability is the, you have to protect your self, if you wait for the police, it will be too late, you'll be dead. Don't even think about the court system they are sold to big layers, politicians and corporations. It is up to the consumer. The day consumers boicot Dell and HP and demand a safe OS, that will be the day.

Until I see that day, I enjoy my Linux, I don't buy any MS, Computer Assc. Symantech etc products. I don't buy computers with pre-installed Windows. No Dells and no HPs.

We have the power.... but choose not to use it we deserve Windows.; Reply to this comment

Linux
by 13stones August 23, 2006 12:02 PM PDT: See you need to look at it from a different perspective! When a company "X" we'll call it brings out a new something, call it"Y", then we the consumers-"Z" are supposed to automatically "KNOW" what X is talking about without any real explaination of what Y is or does and how it would do what it does. And there is the problem of how to get Y if we for some unknown reason actully want Y.
I'v heard people talk about LINUX and say BAD BADDER and BADDEST stuff about it. Now you say we ought to get it but when where and how. No explaination of that. Inerta is that Windows is already in the machines we buy (UNLESS we go Apple)which I also have in my home.No one explains how to get LINUX (where do you buy? it anyway) and replace Windows without loosing everything. Get the point,yet??; Reply to this comment View reply
Processing

Latest tech news headlines

Technorati makes another acquisition, launches ad platform
Posted in The Social by Caroline McCarthy

October 15, 2008 1:13 PM PDT
'Film on Facebook' project set to debut first movie
Posted in The Social by Caroline McCarthy

October 15, 2008 12:46 PM PDT
VC confidence level takes third-quarter hit
Posted in News - Digital Media by Dawn Kawamoto

October 15, 2008 12:26 PM PDT
See all headlines

Resource center from CNET News sponsors

You Need The Speed of Norton 2009

Introducing Norton Internet Security™2009

With one-click, one-minute install, under 8MB of memory usage and fewer, shorter scans, it's the fastest security suite anywhere. Norton. Smart Security, Engineered for Speed. Get a FREE trial today!

The Fastest Security Suite Anywhere

Experience the revolutionary Norton Internet Security™ 2009. With Norton™ Insight, a new feature, you get precision security that targets only at risk files for fewer, faster, shorter scans

Win a Trip to Space!*

Enter the Blast Off with Norton Sweepstakes for your shot at a trip to space. You could experience being fast and weightless, just like the new Norton 2009. *No purchase necessary; click for full details.

FREE Trial!

Act now to get your FREE trial of Norton Internet Security 2009. Try it for the protection. Love it for the speed

Norton Safe Web NEW!

A community-based system that rates web site safety

Norton Labs NEW!

Users can download new security technologies and share input directly with developers. Help us shape our future products!

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Digital Media
VC confidence level takes third-quarter hit
The confidence level of Silicon Valley venture capitalists continues to falter and is reaching new lows, according to index results.
Gallery
Photos: Solar business heats up the Golden State
The Open Road
Open source for president? Get real
We're voting for a president, not a software preference. There are bigger issues in front of the U.S. president than whether the government adopts open source.
Beyond Binary
Windows 7 equals some strange math
Although Windows 7 was also the product's code name, the forthcoming version of Windows is not Microsoft's seventh iteration, and it won't carry the version number 7.0.
Video
Apple laptop redesigns and a lower price
News - Digital Media
Who loves an economic crisis? Yahoo Finance
Sites with financial news and data saw record numbers of visitors in September, according to ComScore. Just wait for the October tally.
Video
Apple's latest MacBook Pro
The Social
Technorati makes another acquisition, launches ad platform
It's another move that the company has made in the direction of being an advertising company rather than a search company, now that Google Blog Search has taken a big bite out of its influence.
News - Cutting Edge
'60 Minutes' video: Drone warfare in Iraq
UAVs like the Predator are a highly valued asset for the U.S. military as it pursues "fleeting and perishable" targets. Lesley Stahl reports.
Gallery
Photos: 'Popular Mechanics' breakthroughs
The Car Tech blog
2009 Dodge Challenger SRT8: Big power and head-turning looks
The 2009 Dodge Challenger is truly a muscle car for the 21st century, with the power and the technology to back it up; we only wish the interior matched the price tag.
Green Tech
Tesla Motors replaces CEO, plans layoff
Elon Musk, company investor and chairman, will take over as CEO, replacing Ze'ev Drori, who will join the board. Layoffs are also planned as part of a corporate review.