Microsoft now needs a patch for its patch

Stan Beer
Thursday, 24 August 2006 06:00

Business IT - Security

It just seems to get worse for for Microsoft  on the Windows security front. Now the software company has been forced to create a patch for a patch released earlier this month which has introduced a new critical security vulnerability in Internet Explorer.

The bug in the MS06-042 security update causes Internet Explorer 6 with Service Pack 1 to crash due a buffer overrun if the user visits certain websites. However, Microsoft now admits that flaw is exploitable and could allow an attacker to gain control of a computer if the user visits a website specially designed for that purpose.

To make things worse, Microsoft has got into a public slanging match with security company eEye for disclosing publicly that the MS06-042 security update itself creates an exploitable flaw. eEye has been making a name for itself in recent months by discovering security flaws in the products of large security vendors such as Symantec and McAfee.

According to Microsoft, eEye, which notified Microsoft of the vulnerability in MS06-042, should have stayed quiet until Microsoft had its fix for the patch completely ready for distribution.

However, eEye in its own advisory on its website refutes Microsoft's criticism and accuses Microsoft of originally misrepresenting the vulnerability saying:

"This information is already known in various research circles and also with exploit writers. So it is important that IT administrators understand the true threat of this problem that this is not simply a crashing bug as Microsoft has been incorrectly misrepresenting it but in fact that it is an exploitable security bug. Researchers and exploit developers know this, therefore it is extremely important that IT administrators are told what really is going on."

At last report, Microsoft had still not released a new fix for MS06-042 because it found problems in a fix that was supposed to be released on Tuesday.

The news of the latest bug comes in a month where Microsoft software security has been in the spotlight constantly. The Department of Homeland Security issued an alert highlighting the serious nature of a critical vulnerability in Windows addressed by security update MS06-040 and then Microsoft had to issue a fix for a problem discovered with that patch.

In addition, it was revealed that two of the seven critical bugs revealed by Microsoft in August also affected the Beta 2 version of its upcoming replacement operating system Windows Vista. That news in itself was surprising because Microsoft has put a lot of work into making Vista bullet proof.