August 30, 2006

Almost three days later than expected, Microsoft has re-issued a critical security update for its Internet Explorer browser. The twice-issued security patch is important because it fully resolves a critical security flaw Microsoft introduced with the original update, released three weeks ago.

The company acknowledged that there were specific security problems with its update soon after it was issued. Websites that used HTTP 1.1 compression to speed up the downloading of images could cause the browser to fail and users of Web-based applications such as PeopleSoft, Siebel, and Sage CRM had various issues with the software.

The issue does not affect users of Microsoft's latest Service Pack 2 version of Windows XP, but users of Internet Explorer 6 Service Pack 1 on Windows 2000 Service Pack 4 and Windows XP Service Pack 1 are affected, Microsoft said.

Last week, Microsoft released a "hotfix" download that addressed these problems, but the software vendor also decided to take the unusual step of announcing it would re-release the entire update (called MS06-042). This would ensure that subscribers to Microsoft's automatic update services would automatically receive the fixed patch.

That update was slated to have been released this Tuesday, but it was ultimately delayed because of an "issue discovered in final testing," Microsoft said.

Just as Microsoft was announcing this delay, security researchers at eEye Digital Security Inc. disclosed the security issue, saying that Microsoft's Aug. 8 update had actually created a new IE bug that attackers could exploit to run unauthorized software on a PC.

Though no attacks exploiting this bug have been reported, eEye believes that the issue is critical.

"The bad guys basically know about this and know that it's an exploitable scenario," eEye's chief hacking officer Marc Maiffret said Tuesday.

Microsoft has published a security advisory on this issue, which can be found at this Web site.

While Microsoft introducing bugs in its security updates is not uncommon, it is unusual for the company to give guidance on when it plans to fix these bugs, said Russ Cooper, senior information security analyst for Cybertrust Inc.

It is also unusual for security firms like eEye to then investigate these bugs for security problems and disclose their existence before Microsoft has patched the problem, he added.

"They should have reported ... this issue to Microsoft first, and only," he said. "And then waited for Microsoft to release a fix."

Source: IT World Canada

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.