News
News
9/13/2006
03:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Repatches Repatch, Issues Third Fix For IE Flaws

"This update cycle has not been an example of our best work," admitted Tony Chor, group program manager for Internet Explorer, in an entry on the team's blog.

Among the patches posted Tuesday by Microsoft Corp. in its regular monthly release was a re-repatch of a fix for Internet Explorer that had already been pushed to users twice.

The Tuesday re-release of MS06-042, which debuted Aug. 8, included fixes for 10 vulnerabilities -- two more than in the original -- because of yet another bug uncovered by eEye Digital Security, a California-based company that was blasted last month by Microsoft for not abiding by its unwritten vulnerability disclosure rules.

The newly-patched bug in IE was reported by eEye to Microsoft Aug. 24, the same day that the Redmond, Wash.-based developer issued its first re-release of MS06-042 to fix another flaw it had overlooked. This second bug, said eEye in an online advisory, is "almost identical" to the vulnerability it spotted in August. Like that flaw, the new problem is in how IE handles long URLs when users visit sites that have applied both compression and the HTTP 1.1 protocol.

Although Microsoft didn't use the term, the just-fixed vulnerability was a "regression," a bug not present earlier but introduced by an error in the patch.

"This update cycle has not been an example of our best work," admitted Tony Chor, group program manager for Internet Explorer, in an entry on the team's blog.

Last month, Microsoft attacked eEye Digital's chief hacking officer, Marc Maiffret, for what it called "irresponsible disclosure" of the original long URL bug. Maiffret struck back by pointing out that Microsoft released far more information on the company's security blog than he had in his warning.

At the time, Chor promised that Microsoft would take steps to prevent similar mistakes and would review the last 10 months of code check-ins by the developer responsible for the error. Tuesday, he only said that "this release and the need for subsequent re-releases have certainly been a learning experience for us."

A third strike on a security update is unusual, said Eric Schultze, the chief security architect at patch manager developer Shavlik. "I can remember only one or two since 2000," said Schultze.

"This was a case of damned if you do, damned if you don't," he added. Users who applied the second iteration of MS06-042 may have fixed one flaw, but left themselves open to this newest bug. Anyone who avoided the just-patched vulnerability by not applying the Aug. 24 version of MS06-042 was at risk from the first long URL flaw.

"We saw enterprises scramble to deploy the first [MS06-042] because it was Critical," Schultze said. "Companies next scrambled to get the private patch from Microsoft, which is what became the fix for [MS06-042] number two. Everyone scrambled for that, and now we're all scrambling to get number three. This kind of thing takes a lot of time and effort."

In a side note, Microsoft returned eEye Digital Security's name to the credit list of MS06-042 when it re-released the bulletin Tuesday. After the August, brouhaha, the company removed eEye from the Acknowledgements section, where it thanks vendors and researchers for reporting bugs to the company.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Oct. 20, 2014
Energy and weather agencies are busting long-held barriers to analyzing big data. Can the feds now get other government agencies into the movement?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.