Microsoft Postpones Fix for Patch
By Ed Oswald | Published August 23, 2006, 3:07 PM
Microsoft on Tuesday said it was postponing a planned fix to its August cumulative patch for Internet Explorer due to an issue that would prevent users from being able to deploy the update properly, while at the same time acknowledging the first patch also opened users up to a code execution attack.
The existence of a vulnerability in the patch was first announced by eEye Digital Security, which Microsoft has chided for publicly disclosing the flaws. However, eEye defended itself, saying that it had only mentioned that the patch was indeed exploitable, noting that the Redmond company had released the most details on the problem itself.
In Microsoft's own advisory describing the flaw, it said the issue can be recreated using long URLs to sites using HTTP 1.1 and compression. In a statement on the disclosure, Microsoft Security Response Center research Stephen Toulouse defended the company's decision to stay quiet.
"There was no intent here to misrepresent the issue as not being exploitable," he argued. "Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform."
The updated patch will be held off indefinitely until "it meets an appropriate level of quality for broad distribution," Microsoft said. In the meantime, concerned users are being urged to apply a hotfix as described in another advisory to avoid issues, and now to protect from possible attacks.
To date, no reports of exploits using the new flaw have been reported to Microsoft. But with the information now public, the company said it expected incidences of attacks taking advantage of the vulnerability to be on the increase.
That "indefinitely" word doesn't sound too good. I hope it means "by October's patch Tuesday because we probably won't make it to September's". I really do.
For now, thanx for the workaround. I did the following and will report back on this thread whether it breaks anything..:
1. Start Internet Explorer 6.
2. On the Tools menu, click Internet Options, and then click the Advanced tab.
3. In the Settings box, click to clear the Use HTTP 1.1 check box under HTTP 1.1 settings, and then click OK.
Edit: OK that was quick.. Felt a bit slower than I re-enabled 1.1... No pr0n surfing for awhile then...
Score: 0
|Maybe Patchosoft needs to be critically fixed.
Score: 0
|Can MS programmers LITERALLY be THAT incompetent? To create a patch that opens up a NEW code-execution exploit? MY GOD THE HUMANITY!
Score: 0
|Microsoft brings new meaning to the word "inept". Just when I think they can't sink public opinion of their company any lower, they make some more quality bumbles like this. Classic.
Score: 0
|"The updated patch will be held off indefinitely until 'it meets an appropriate level of quality for broad distribution,' Microsoft said."
In other words they don't know how to fix it.
Interesting article on the situation can be found here:
http://www.eweek.com/art...c=EWRSS03119TX1K0000594
Score: 0
|