Microsoft Postpones Fix for Patch

Microsoft on Tuesday said it was postponing a planned fix to its August cumulative patch for Internet Explorer due to an issue that would prevent users from being able to deploy the update properly, while at the same time acknowledging the first patch also opened users up to a code execution attack.

The existence of a vulnerability in the patch was first announced by eEye Digital Security, which Microsoft has chided for publicly disclosing the flaws. However, eEye defended itself, saying that it had only mentioned that the patch was indeed exploitable, noting that the Redmond company had released the most details on the problem itself.

In Microsoft's own advisory describing the flaw, it said the issue can be recreated using long URLs to sites using HTTP 1.1 and compression. In a statement on the disclosure, Microsoft Security Response Center research Stephen Toulouse defended the company's decision to stay quiet.

"There was no intent here to misrepresent the issue as not being exploitable," he argued. "Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform."

The updated patch will be held off indefinitely until "it meets an appropriate level of quality for broad distribution," Microsoft said. In the meantime, concerned users are being urged to apply a hotfix as described in another advisory to avoid issues, and now to protect from possible attacks.

To date, no reports of exploits using the new flaw have been reported to Microsoft. But with the information now public, the company said it expected incidences of attacks taking advantage of the vulnerability to be on the increase.