Microsoft Nixes IE Repatch, Chides Researcher

Microsoft late Tuesday decided not to re-issue a patch for its Internet Explorer browser, then took a researcher to task for telling users that the flaw in the original Aug. 8 fix was far more serious than Microsoft acknowledged.

The bug in the patch issued as security bulletin MS06-042 can actually be exploited by attackers to run malicious code on Windows 2000 and Windows XP SP1 systems equipped with IE 6 Service Pack 1 (SP1), eEye Digital Security's chief hacking officer told TechWeb Tuesday.

"Within days of releasing that patch [on Aug. 8], everyone was experiencing problems with IE SP1," said Marc Maiffret. "The security mailing lists and blogs were full about the IE patch crashing the browser. But one of our developers figured out that the vulnerability was exploitable."

eEye informed Microsoft's security team last week of the bug that had been introduced by MS06-042, which had patched 8 different flaws in IE.

Wednesday, Aug. 16, Microsoft told customers in an online advisory that IE 6 SP1 was prone to crashing when users visited sites that had both compression and the HTTP 1.1 protocol enabled. It also promised to re-release the patch on Aug. 22; the revision would incorporate a hotfix that the company had cranked out. Until then, the hotfix would be available only to users who contacted Microsoft's product support by telephone.Tuesday, Microsoft announced it would not meet the Aug. 22 deadline for the repatched patch.

"Last night we found an issue that would prevent some customers from being able to deploy the update," wrote Tony Chor, a Microsoft group program manager on the IE team, in an entry on the group's blog. "As a result, we decided to hold the release until it meets the appropriate level of quality for such a broad distribution."

Chor downplayed the extent of the IE problem by noting that it affected only Windows 2000 and Windows XP SP1 users, then cited his group's overall code quality. "This will be the first re-release of an IE update in 2.5 years (MS04-004 was the last one)." But he also owned up to the screw-up. "We missed this issue, plain and simple."

He promised changes to prevent similar mistakes in the future, including a review of the past 10 months of code check-ins from the developer responsible for the error.

But both Chor and Stephen Toulouse, a program manager with the Microsoft Security Response Center (MSRC) blasted eEye for what they considered "irresponsible" disclosure of the severity of the bug introduced by MS06-042.

"One of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform," wrote Toulouse on the MSRC blog late Tuesday. That, said Toulouse, forced Microsoft's hand into outlining the actual severity of the flaw. Tuesday, it posted an advisory that described the issue and provided some defensive tactics users can take until a patch is released.eEye's Maiffret didn't hesitate to defend his company's actions. "We haven't put any kind of details in our alert," he said. "But Microsoft tells everyone exactly where the bug is." Microsoft's advisory noted that long URLs to sites using HTTP 1.1 and compression are at fault, while Chor's blog mentioned the urlmon.dll file.

"You just told everyone what to look for," Maiffret said. "How many times are you gonna mess up on this one?"

Microsoft and researchers have frequently clashed over what is, or isn't "responsible" disclosure. But this was a first for Maiffret. "I wouldn't have done anything different," he said, pointing out that both security researchers and exploit writers knew that the IE 6 SP1 bug was exploitable. The only people who didn't have the facts were IT administrators, and they are the ones who needed them to make informed decisions, Maiffret argued. "They need the truth[but]Microsoft had effectively been lying to them since the 10th or the 11th by saying it only crashed IE."

Everyone makes mistakes, Maiffret said, but differences are displayed by how companies own up to errors. "This whole thing turned into some kind of marketing thing," he said. "Microsoft was embarrassed and lashed out.

"The bug shouldn't have made it past original QA, that was mistake number one," he said. "Two, they introduced an error in the patch, and three, they tried to hide it. Finally, number four, they were the ones to release in their advisory the information attackers needed. They're the ones pointing the way, not us."The only thing eEye and Microsoft agreed on was what users could do to defend their systems against a possible exploit. Microsoft recommended users disable the HTTP 1.1 protocol by selecting Tools|Internet Options|Advanced, then unchecking "Use HTTP 1.1" and "Use HTTP 1.1 through proxy connections" boxes before clicking "OK."

eEye followed suit in its advisory, but also told users "the best way to protect your XP systems is to upgrade to Windows XP SP2 as it is protect against this vulnerability. Support for XP SP1 ends in October and there are huge security benefits to XP SP2."

Microsoft has not committed to a new release date for a revised MS06-042 patch.