News

Microsoft Postpones Fix for Patch

By Ed Oswald | Published August 23, 2006, 3:07 PM

Microsoft on Tuesday said it was postponing a planned fix to its August cumulative patch for Internet Explorer due to an issue that would prevent users from being able to deploy the update properly, while at the same time acknowledging the first patch also opened users up to a code execution attack.

The existence of a vulnerability in the patch was first announced by eEye Digital Security, which Microsoft has chided for publicly disclosing the flaws. However, eEye defended itself, saying that it had only mentioned that the patch was indeed exploitable, noting that the Redmond company had released the most details on the problem itself.

In Microsoft's own advisory describing the flaw, it said the issue can be recreated using long URLs to sites using HTTP 1.1 and compression. In a statement on the disclosure, Microsoft Security Response Center research Stephen Toulouse defended the company's decision to stay quiet.

"There was no intent here to misrepresent the issue as not being exploitable," he argued. "Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform."

The updated patch will be held off indefinitely until "it meets an appropriate level of quality for broad distribution," Microsoft said. In the meantime, concerned users are being urged to apply a hotfix as described in another advisory to avoid issues, and now to protect from possible attacks.

To date, no reports of exploits using the new flaw have been reported to Microsoft. But with the information now public, the company said it expected incidences of attacks taking advantage of the vulnerability to be on the increase.

Comments

View comments by with a score of at least

extremely well
Aug 24, 2006 - 12:16 PM edited

That "indefinitely" word doesn't sound too good. I hope it means "by October's patch Tuesday because we probably won't make it to September's". I really do.

For now, thanx for the workaround. I did the following and will report back on this thread whether it breaks anything..:
1. Start Internet Explorer 6.
2. On the Tools menu, click Internet Options, and then click the Advanced tab.
3. In the Settings box, click to clear the Use HTTP 1.1 check box under HTTP 1.1 settings, and then click OK.

Edit: OK that was quick.. Felt a bit slower than I re-enabled 1.1... No pr0n surfing for awhile then...

Score: 0

|
Post Reply
cannie
Aug 24, 2006 - 4:46 AM

Maybe Patchosoft needs to be critically fixed.

Score: 0

|
Post Reply
c4p0ne
Aug 23, 2006 - 11:35 PM edited

Can MS programmers LITERALLY be THAT incompetent? To create a patch that opens up a NEW code-execution exploit? MY GOD THE HUMANITY!

Score: 0

|
Post Reply
zee7
Aug 23, 2006 - 10:18 PM

Microsoft brings new meaning to the word "inept". Just when I think they can't sink public opinion of their company any lower, they make some more quality bumbles like this. Classic.

Score: 0

|
Post Reply
sophist_dreams
Aug 23, 2006 - 3:44 PM edited

"The updated patch will be held off indefinitely until 'it meets an appropriate level of quality for broad distribution,' Microsoft said."

In other words they don't know how to fix it.

Interesting article on the situation can be found here:

http://www.eweek.com/art...c=EWRSS03119TX1K0000594

Score: 0

|
Post Reply

'A pivot from war to peace:' The AMD + Intel armistice, in their own words

An extraordinary day in technology history is recognized by two long-time rivals that mutually decided it's futile to fight anyplace else except the marketplace.

PS3, Xbox to soon get Twitter, Facebook integration

Both Microsoft's Xbox 360 and Sony's PlayStation 3 will integrate with Facebook in the near future.

Windows Marketplace for Mobile now available in browser, iTunes' App Store still not

You can now check out what Windows Marketplace for Mobile has to offer without a Windows Phone.

Microsoft damage control after marketer claims Win7 inspired by Mac

Have you ever said anything you wish you could take back? Ever? No? Not even once? Well then, you won't sympathize with a mid-level Microsoft manager today.

Blockbuster's way down, but poised for a comeback

Though it took a serious beating in 2009, Blockbuster CEO Jim Keyes says the company can turn it around.

iTunes Preview deson't go far enough to create Web-based option for store

Apple has rolled out iTunes Preview, a Web interface for browsing iTunes.

PDC 2009 Preview: The move to Office 2010 and Visual Studio 2010

The major focus of Microsoft's conference next week will likely be explaining why two pillars of its software sales strategy deserve to remain where they are.

Dell's first smartphone aids the Android onslaught

Longtime PC leader Dell has finally announced its Android-based smarphone.

After the Intel + AMD armistice: Do we really want a level playing field?

Scott Fulton On Point: One by one, the reasons for us to continue suspending the course toward open and fair competition in IT, are dropping like flies.

FLO TV launches pocketable, smartphone-like TVs

Qualcomm's FLO TV Personal Television made by HTC launches in retail today.

Google acquires Gizmo5, builds IP telephony portfolio

Google Voice today confirmed rumors that it would acquire IP telephony company Gizmo5