Microsoft says the revised version of MS06-042 fully resolves the security vulnerability discussed in a prior security advisory.
Two days after Microsoft Corp. ripped a security researcher for what it called "irresponsible disclosure" of a flawed Internet Explorer patch, the Redmond, Wash. developer issued version 2.0 of the fix and told Windows 2000 and Windows XP SP1 users to apply it immediately.
The updated MS06-042 security bulletin now includes a ninth patch, which applies only to IE 6.0 SP1 users who have installed the original cumulative fixes since Aug. 8.
"The revised version of MS06-042 fully resolves the security vulnerability discussed in Microsoft Security Advisory 923762 and addresses the issues discovered prior to release," said a Microsoft spokesman in an e-mail to TechWeb. The advisory he referred to was posted Tuesday, when Microsoft acknowledged that the Aug. 8 patches introduced an exploitable vulnerability in the 6.0 SP1 edition of IE. Earlier, Microsoft had insisted that the bug would only crash the affected browsers.
Last week, however, eEye Digital Security reported to Microsoft that the flaw was more severe, and could easily be exploited by attackers to compromise Windows 2000 and Windows XP SP1 systems. eEye and Microsoft disagreed on whether to release additional information before the re-patched patch was available; in the end, Microsoft slapped the "irresponsible" tag on eEye, and in particular, its chief hacking officer, Marc Maiffret.
Maiffret hit back Wednesday by pointing out that Microsoft disclosed more information useful to exploit writers than did eEye. "You just told everyone what to look for," Maiffret said then.
The revised MS06-042 should be deployed only by users of IE 6.0 SP1, said the Microsoft spokesman Thursday. Users of other editions who have already deployed and installed the original MS06-042 security bulletin's fixes don't need to take any additional action.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
InformationWeek Tech Digest August 03, 2015The networking industry agrees that software-defined networking is the way of the future. So where are all the deployments? We take a look at where SDN is being deployed and what's getting in the way of deployments.