To make things worse, Microsoft has got into a public slanging match with security company eEye for disclosing publicly that the MS06-042 security update itself creates an exploitable flaw. eEye has been making a name for itself in recent months by discovering security flaws in the products of large security vendors such as Symantec and McAfee.
According to Microsoft, eEye, which notified Microsoft of the vulnerability in MS06-042, should have stayed quiet until Microsoft had its fix for the patch completely ready for distribution.
However, eEye in its own advisory on its website refutes Microsoft's criticism and accuses Microsoft of originally misrepresenting the vulnerability saying:
"This information is already known in various research circles and also with exploit writers. So it is important that IT administrators understand the true threat of this problem that this is not simply a crashing bug as Microsoft has been incorrectly misrepresenting it but in fact that it is an exploitable security bug. Researchers and exploit developers know this, therefore it is extremely important that IT administrators are told what really is going on."
At last report, Microsoft had still not released a new fix for MS06-042 because it found problems in a fix that was supposed to be released on Tuesday.
The news of the latest bug comes in a month where Microsoft software security has been in the spotlight constantly. The Department of Homeland Security issued an alert highlighting the serious nature of a critical vulnerability in Windows addressed by security update MS06-040 and then Microsoft had to issue a fix for a problem discovered with that patch.
In addition, it was revealed that two of the seven critical bugs revealed by Microsoft in August also affected the Beta 2 version of its upcoming replacement operating system Windows Vista. That news in itself was surprising because Microsoft has put a lot of work into making Vista bullet proof.
RECRUITMENT & RETENTION REPORT 2013HIRE OR FIRE? BUY OR BUILD
2013 is well underway and Australian companies need to know whether they should invest in IT skills training or pay a premium for the people they need.
If you want to know which choices are being made in your sector, what skills are hard to find, which sectors intend to hire or fire and where the IT spend is going, this free report is must have.
Stan Beer co-founded iTWire in 2005. With 25 years of experience working in Australian technology media, Beer has published articles in most of the IT publications that have mattered, including the AFR, The Australian, SMH, The Age, as well as a multitude of trade publications.