Microsoft Re-patches Repatch, Issues Third Fix For IE Flaws

Among the patches posted Tuesday by Microsoft Corp. in its regular monthly release was a re-repatch of a fix for Internet Explorer that had already been pushed to users twice.

The Tuesday re-release of MS06-042, which debuted Aug. 8, included fixes for 10 vulnerabilities -- two more than in the original -- because of yet another bug uncovered by eEye Digital Security, a California-based company that was blasted last month by Microsoft for not abiding by its unwritten vulnerability disclosure rules.

The newly-patched bug in IE was reported by eEye to Microsoft Aug. 24, the same day that the Redmond, Wash.-based developer issued its first re-release of MS06-042 to fix another flaw it had overlooked. This second bug, said eEye in an online advisory, is "almost identical" to the vulnerability it spotted in August. Like that flaw, the new problem is in how IE handles long URLs when users visit sites that have applied both compression and the HTTP 1.1 protocol.

Although Microsoft didn't use the term, the just-fixed vulnerability was a "regression," a bug not present earlier but introduced by an error in the patch.

"This update cycle has not been an example of our best work," admitted Tony Chor, group program manager for Internet Explorer, in an entry on the team's blog. Last month, Microsoft attacked eEye Digital's chief hacking officer, Marc Maiffret, for what it called "irresponsible disclosure" of the original long URL bug. Maiffret struck back by pointing out that Microsoft released far more information on the company's security blog than he had in his warning.

At the time, Chor promised that Microsoft would take steps to prevent similar mistakes and would review the last 10 months of code check-ins by the developer responsible for the error. Tuesday, he only said that "this release and the need for subsequent re-releases have certainly been a learning experience for us."

A third strike on a security update is unusual, said Eric Schultze, the chief security architect at patch manager developer Shavlik. "I can remember only one or two since 2000," said Schultze.

"This was a case of damned if you do, damned if you don't," he added. Users who applied the second iteration of MS06-042 may have fixed one flaw, but left themselves open to this newest bug. Anyone who avoided the just-patched vulnerability by not applying the Aug. 24 version of MS06-042 was at risk from the first long URL flaw.

"We saw enterprises scramble to deploy the first [MS06-042] because it was Critical," Schultze said. "Companies next scrambled to get the private patch from Microsoft, which is what became the fix for [MS06-042] number two. Everyone scrambled for that, and now we're all scrambling to get number three. This kind of thing takes a lot of time and effort."In a side note, Microsoft returned eEye Digital Security's name to the credit list of MS06-042 when it re-released the bulletin Tuesday. After the August, brouhaha, the company removed eEye from the Acknowledgements section, where it thanks vendors and researchers for reporting bugs to the company.