RSS

Microsoft Patch For Patch Needs A Patch

David Utter
Staff Writer
2006-08-23

Insider Reports RSS Feed

Just before rolling out a fix for the MS06-042 patch, Microsoft learned that a new issue causing crashes had been discovered, and that will require the company to re-release that patch at a later date.

More Microsoft Problems

We apologise again for the fault in the subtitles. Those responsible for sacking the people who have just been sacked, have been sacked.
Monty Python and the Holy Grail
A problem with Internet Explorer 6.0 SP1 became known after Microsoft first released MS06-042. The patch introduced a problem with that browser where it could crash upon attempting to handle long URLs using HTTP 1.1 and compression.

One example of the problem became known to technology firm CA, which received reports of customers accessing Unicenter Service Desk having their browsers crash. A report on the SANS Handler's Diary noted CA's expectation that the re-release of the MS06-042 patch would fix at least two issues causing the problem.

However, Microsoft has pulled the patch at the last minute. Microsoft officially provided notice that the updated patch will not go out today as planned:

Due to an issue discovered in final testing, Microsoft will not be re-releasing MS06-042 today. This update will be re-released for Internet Explorer 6 Service Pack 1 when it meets an appropriate level of quality for broad distribution.

While a browser crash is a bad enough condition, this particular crash was made worse by the public disclosure that the crash itself could be exploitable. Microsoft is very displeased with the researcher who chose to go public with that information.

Stephen Toulouse at Microsoft's Security Response Center posted about that disclosure:

Up until now, we have not seen any attacks using this vulnerability, nor have we seen broad awareness of this vulnerability. Since the exploitability of this is public now however, there is certainly increased risk of attack.

Toulouse also noted the advisory about the patch's delay and workarounds for the problem.

Tony Chor, group program manager for Internet Explorer, blogged about the patch and the issue causing the delay:

We've been working hard to improve our update quality over the past few years and built a pretty comprehensive set of checks and balances in our engineering process to prevent mistakes like this. In fact, this will be the first re-release of an IE update in 2.5 years (MS04-004 was the last one). Unfortunately, we missed this issue, plain and simple.

---
Tag: Microsoft

Add to

Del.icio.us |

Digg |

Yahoo! My Web |

Furl

Get all the updates in RSS:

About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Featured On:

article resources

WebProWorld.com

•	Get in-touch with industry experts and leaders
•	Post your site for review by expert and peers
•	Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com


Titan Quest Forum The #1 Titan Quest forum
Halo 3 Forum The best Halo, Halo 2, Halo 3 forum
Nintendo Wii Nintendo Wii news and views
Mac Software The best in OS X freeware
Graphics Forum Your source for graphic tutorials