The bug in the MS06-042 security update causes Internet Explorer 6 with
Service Pack 1 to crash due a buffer overrun if the user visits certain
websites. However, Microsoft now admits that flaw is exploitable and
could allow an attacker to gain control of a computer if the user
visits a website specially designed for that purpose.
To make things worse, Microsoft has got into a public slanging match
with security company eEye for disclosing publicly that the MS06-042
security update itself creates an exploitable flaw. eEye has been
making a name for itself in recent months by discovering security flaws
in the products of large security vendors such as Symantec and McAfee.
According to Microsoft, eEye, which notified Microsoft of the
vulnerability in MS06-042, should have stayed quiet until Microsoft had
its fix for the patch completely ready for distribution.
However, eEye in its own advisory on its website refutes Microsoft's
criticism and accuses Microsoft of originally misrepresenting the
vulnerability saying:
"This information is already known in various research circles and also
with exploit writers. So it is important that IT administrators
understand the true threat of this problem that this is not simply a
crashing bug as Microsoft has been incorrectly misrepresenting it but
in fact that it is an exploitable security bug. Researchers and exploit
developers know this, therefore it is extremely important that IT
administrators are told what really is going on."
At last report, Microsoft had still not released a new fix for MS06-042
because it found problems in a fix that was supposed to be released on
Tuesday.
The news of the latest bug comes in a month where Microsoft software
security has been in the spotlight constantly. The Department of
Homeland Security issued an alert highlighting the serious nature of a
critical vulnerability in Windows addressed by security update MS06-040
and then Microsoft had to issue a fix for a problem discovered with
that patch.
In addition, it was revealed that two of the seven critical bugs
revealed by Microsoft in August also affected the Beta 2 version of its
upcoming replacement operating system Windows Vista. That news in
itself was surprising because Microsoft has put a lot of work into
making Vista bullet proof.
Microsoft now needs a patch for its patch
It just seems to get worse for for Microsoft on the Windows security front. Now the software company has been forced to create a patch for a patch released earlier this month which has introduced a new critical security vulnerability in Internet Explorer.
RECRUITMENT & RETENTION REPORT 2013
HIRE OR FIRE? BUY OR BUILD2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.
If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.
Stan Beer
Stan Beer co-founded iTWire in 2005. With 25 years of experience working in Australian technology media, Beer has published articles in most of the IT publications that have mattered, including the AFR, The Australian, SMH, The Age, as well as a multitude of trade publications.
