News
News
9/13/2006
03:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Repatches Repatch, Issues Third Fix For IE Flaws

"This update cycle has not been an example of our best work," admitted Tony Chor, group program manager for Internet Explorer, in an entry on the team's blog.

Among the patches posted Tuesday by Microsoft Corp. in its regular monthly release was a re-repatch of a fix for Internet Explorer that had already been pushed to users twice.

The Tuesday re-release of MS06-042, which debuted Aug. 8, included fixes for 10 vulnerabilities -- two more than in the original -- because of yet another bug uncovered by eEye Digital Security, a California-based company that was blasted last month by Microsoft for not abiding by its unwritten vulnerability disclosure rules.

The newly-patched bug in IE was reported by eEye to Microsoft Aug. 24, the same day that the Redmond, Wash.-based developer issued its first re-release of MS06-042 to fix another flaw it had overlooked. This second bug, said eEye in an online advisory, is "almost identical" to the vulnerability it spotted in August. Like that flaw, the new problem is in how IE handles long URLs when users visit sites that have applied both compression and the HTTP 1.1 protocol.

Although Microsoft didn't use the term, the just-fixed vulnerability was a "regression," a bug not present earlier but introduced by an error in the patch.

"This update cycle has not been an example of our best work," admitted Tony Chor, group program manager for Internet Explorer, in an entry on the team's blog.

Last month, Microsoft attacked eEye Digital's chief hacking officer, Marc Maiffret, for what it called "irresponsible disclosure" of the original long URL bug. Maiffret struck back by pointing out that Microsoft released far more information on the company's security blog than he had in his warning.

At the time, Chor promised that Microsoft would take steps to prevent similar mistakes and would review the last 10 months of code check-ins by the developer responsible for the error. Tuesday, he only said that "this release and the need for subsequent re-releases have certainly been a learning experience for us."

A third strike on a security update is unusual, said Eric Schultze, the chief security architect at patch manager developer Shavlik. "I can remember only one or two since 2000," said Schultze.

"This was a case of damned if you do, damned if you don't," he added. Users who applied the second iteration of MS06-042 may have fixed one flaw, but left themselves open to this newest bug. Anyone who avoided the just-patched vulnerability by not applying the Aug. 24 version of MS06-042 was at risk from the first long URL flaw.

"We saw enterprises scramble to deploy the first [MS06-042] because it was Critical," Schultze said. "Companies next scrambled to get the private patch from Microsoft, which is what became the fix for [MS06-042] number two. Everyone scrambled for that, and now we're all scrambling to get number three. This kind of thing takes a lot of time and effort."

In a side note, Microsoft returned eEye Digital Security's name to the credit list of MS06-042 when it re-released the bulletin Tuesday. After the August, brouhaha, the company removed eEye from the Acknowledgements section, where it thanks vendors and researchers for reporting bugs to the company.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.