Microsoft Repatches IE's August Patch

Welcome Guest. | Log In| Register | Membership Benefits

August 24, 2006 (3:12 PM EDT)

By Gregg Keizer , TechWeb Technology News

Two days after Microsoft Corp. ripped a security researcher for what it called "irresponsible disclosure" of a flawed Internet Explorer patch, the Redmond, Wash. developer issued version 2.0 of the fix and told Windows 2000 and Windows XP SP1 users to apply it immediately.

The updated MS06-042 security bulletin now includes a ninth patch, which applies only to IE 6.0 SP1 users who have installed the original cumulative fixes since Aug. 8.

"The revised version of MS06-042 fully resolves the security vulnerability discussed in Microsoft Security Advisory 923762 and addresses the issues discovered prior to release," said a Microsoft spokesman in an e-mail to TechWeb. The advisory he referred to was posted Tuesday, when Microsoft acknowledged that the Aug. 8 patches introduced an exploitable vulnerability in the 6.0 SP1 edition of IE. Earlier, Microsoft had insisted that the bug would only crash the affected browsers.

Last week, however, eEye Digital Security reported to Microsoft that the flaw was more severe, and could easily be exploited by attackers to compromise Windows 2000 and Windows XP SP1 systems. eEye and Microsoft disagreed on whether to release additional information before the re-patched patch was available; in the end, Microsoft slapped the "irresponsible" tag on eEye, and in particular, its chief hacking officer, Marc Maiffret.

Maiffret hit back Wednesday by pointing out that Microsoft disclosed more information useful to exploit writers than did eEye. "You just told everyone what to look for," Maiffret said then.

The revised MS06-042 should be deployed only by users of IE 6.0 SP1, said the Microsoft spokesman Thursday. Users of other editions who have already deployed and installed the original MS06-042 security bulletin's fixes don't need to take any additional action.