Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Microsoft Nixes IE Repatch, Chides Researcher

Microsoft late Tuesday decided not to re-issue a patch for its Internet Explorer browser, then took a researcher to task for telling users that the flaw in the original Aug. 8 fix was far more serious than Microsoft acknowledged.

The bug in the patch issued as security bulletin MS06-042 can actually be exploited by attackers to run malicious code on Windows 2000 and Windows XP SP1 systems equipped with IE 6 Service Pack 1 (SP1), eEye Digital Security's chief hacking officer told TechWeb Tuesday.

"Within days of releasing that patch [on Aug. 8], everyone was experiencing problems with IE SP1," said Marc Maiffret. "The security mailing lists and blogs were full about the IE patch crashing the browser. But one of our developers figured out that the vulnerability was exploitable."

eEye informed Microsoft's security team last week of the bug that had been introduced by MS06-042, which had patched 8 different flaws in IE.

Wednesday, Aug. 16, Microsoft told customers in an online advisory that IE 6 SP1 was prone to crashing when users visited sites that had both compression and the HTTP 1.1 protocol enabled. It also promised to re-release the patch on Aug. 22; the revision would incorporate a hotfix that the company had cranked out. Until then, the hotfix would be available only to users who contacted Microsoft's product support by telephone.

  • 1