Forum latest

I've run out of funny things to say about MS....
Written by Daniel   
Wednesday, 23 August 2006 15:13
Dark Reading

IE Patch Created New Vulnerability

AUGUST 22, 2006 | Know that recent Internet Explorer 6 patch that caused browsers to crash? Turns out Microsoft actually introduced a new vulnerability for IE6 browsers running Service Pack 1, according to the researchers who discovered it.

eEye Digital Security alerted Microsoft about the bug last Thursday after testing the patch. "[Microsoft] either didn't realize it was a security vulnerability or were hoping nobody would notice," says Marc Maiffret, CTO and chief hacking officer of eEye.

Microsoft had put up a Knowledge Base article on its site on August 11 -- three days after issuing MS06-042 along with the other 11 patches on its monthly Patch Tuesday -- that explained that the patch caused the browser crashes. (See Microsoft's Big Patch Day.) The crashes occur when viewing HTTP 1.0 Web pages that use compression.

Microsoft said last week in its Microsoft Security Response Center blog that it would release yet another patch today to take care of the browser crash problem. But the patch won't be coming today after all, according to a Microsoft spokesperson. "Due to an issue in final testing that impacts a customer's ability to broadly deploy the update, Microsoft will not be re-releasing MS06-042 today," the spokesperson said. It will release it once the "issue is resolved."

But the bigger problem is the new bug the patch generated. The vulnerability causes a heap-based buffer overflow, which lets an attacker on a malicious Website execute code with the browser user's privileges, says eEye's Maiffret.


See also

None found.

Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either