Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
More…
Facebook
Twitter
Digg
PrintTwo days later than expected, Microsoft has reissued a critical security update for its Internet Explorer browser.
The reissued patch is important because it "fully resolves" a serious security bug Microsoft introduced with the original update, released August 8.
Microsoft acknowledges that there were problems with its update soon after it was issued. Web sites that used HTTP (HyperText Transfer Protocol) 1.1 compression to speed up the downloading of images could cause the browser to fail, and users of Web-based applications such as PeopleSoft, Siebel, and Sage CRM had problems with the software.
The issue does not affect users of Microsoft's latest Service Pack 2 version of Windows XP, but users of Internet Explorer 6 Service Pack 1 on Windows 2000 Service Pack 4 and Windows XP Service Pack 1 are affected, Microsoft says.
Coming Through Auto Update
Last week, Microsoft released a "hotfix" download that addressed these problems, but the software vendor also decided to take the unusual step of announcing that it would rerelease the entire update (called MS06-042). This would ensure that subscribers to Microsoft's automatic update services would receive the fixed patch.
That update had been slated for release on August 22, but it was ultimately delayed because of an "issue discovered in final testing," Microsoft says.
Just as Microsoft was announcing this delay, security researchers at eEye Digital Security disclosed the security issue, saying that Microsoft's August 8 update had actually created a new IE bug that attackers could exploit to run unauthorized software on a PC.
Though no attacks exploiting this bug have been reported, eEye believes that the issue is critical.
"The bad guys basically know about this and know that it's an exploitable scenario," eEye's chief hacking officer Marc Maiffret said Tuesday.
Microsoft has published a security advisory on this issue.
While Microsoft's introducing bugs in its security updates is not uncommon, it is unusual for the company to give guidance on when it plans to fix such bugs, says Russ Cooper, senior information security analyst for Cybertrust.
It is also unusual for security firms like eEye to then investigate the bugs for security problems and disclose their existence before Microsoft has patched the problem, he adds. "They should have reported ... this issue to Microsoft first, and only," he says. "And then waited for Microsoft to release a fix."
Microsoft has posted additional details on the newly rereleased MS06-042 security update.
