03:12 PM

Microsoft Repatches IE's August Patch

Microsoft says the revised version of MS06-042 fully resolves the security vulnerability discussed in a prior security advisory.

Two days after Microsoft Corp. ripped a security researcher for what it called "irresponsible disclosure" of a flawed Internet Explorer patch, the Redmond, Wash. developer issued version 2.0 of the fix and told Windows 2000 and Windows XP SP1 users to apply it immediately.

The updated MS06-042 security bulletin now includes a ninth patch, which applies only to IE 6.0 SP1 users who have installed the original cumulative fixes since Aug. 8.

"The revised version of MS06-042 fully resolves the security vulnerability discussed in Microsoft Security Advisory 923762 and addresses the issues discovered prior to release," said a Microsoft spokesman in an e-mail to TechWeb. The advisory he referred to was posted Tuesday, when Microsoft acknowledged that the Aug. 8 patches introduced an exploitable vulnerability in the 6.0 SP1 edition of IE. Earlier, Microsoft had insisted that the bug would only crash the affected browsers.

Last week, however, eEye Digital Security reported to Microsoft that the flaw was more severe, and could easily be exploited by attackers to compromise Windows 2000 and Windows XP SP1 systems. eEye and Microsoft disagreed on whether to release additional information before the re-patched patch was available; in the end, Microsoft slapped the "irresponsible" tag on eEye, and in particular, its chief hacking officer, Marc Maiffret.

Maiffret hit back Wednesday by pointing out that Microsoft disclosed more information useful to exploit writers than did eEye. "You just told everyone what to look for," Maiffret said then.

The revised MS06-042 should be deployed only by users of IE 6.0 SP1, said the Microsoft spokesman Thursday. Users of other editions who have already deployed and installed the original MS06-042 security bulletin's fixes don't need to take any additional action.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest August 03, 2015
The networking industry agrees that software-defined networking is the way of the future. So where are all the deployments? We take a look at where SDN is being deployed and what's getting in the way of deployments.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.