News
News
8/17/2006
02:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft To Fix Patch That Crashes IE

Despite the patch problems, Microsoft continues to urge people to apply the MS06-042 fixes, since they resolve a number of vulnerabilities.

Microsoft Corp. has confirmed that it will re-release a security bulletin issued last week because it's making some users' browsers crash when they visit certain sites.

The MS06-042 bulletin, which fixed 8 flaws in Internet Explorer 5.01 and 6, will be recrafted, then re-released next Tuesday, Aug. 22, a company security program manager said Wednesday.

"We've made an update to MS06-042 to let customers know of an issue they might see after applying the update to Internet Explorer 6 Service Pack 1 systems," wrote Mike Reavey, the operations manager of the Microsoft Security Response Center (MSRC), on the group's blog.

Users running IE 6 SP1 on Windows XP SP1 and Windows 2000 systems will watch their browsers crash when they visit sites that have both compression and the HTTP 1.1 protocol enabled.

Until MS06-042 is re-released, users can apply a Microsoft-made hotfix. However, it's not available for download; users must contact Microsoft's product support by telephone to request the hotfix.

Even though last week's patches may crash some users' copies of IE, Microsoft continued to urge everyone to apply the MS06-042 fixes. "Since [it] resolves a number of security vulnerabilities we recommend customers continue to deploy the update," said Reavey.

Users running IE 6 on systems powered by Windows XP SP2, Windows Server 2003, or Windows System 2003 SP1 are unaffected by the bug and will not need to re-deploy the patched patch next week.

The IE glitch wasn't the only problem with the Aug. 8 fixes that Microsoft has copped to. On Tuesday, it revised the MS06-040 bulletin to acknowledge that after installing the patch, programs which request a large amount of contiguous memory -- Microsoft Business Solutions' Navivision 3.70 was the example given -- may crash. The problem crops up only on systems running the 32-bit version of Windows Server 2003 SP1.

Microsoft has a hotfix for this bug as well; users must, however, phone support to obtain it.

The Redmond, Wash. developer also went out of its way to tell users that the fix in MS06-040 does not take care of another bug in the Server service which popped up earlier this month. That flaw, which when exploited generates a denial-of-service (Dos) on an unspecified range of Windows operating systems, is still on Microsoft's to-do list.

"Its [sic] important to distinguish that while MS06-040 addresses a vulnerability in the Server Service it does not resolve the Denial of Service issue I spoke about earlier," wrote MSRC program manager Adrian Stone last week on the team's blog. "We are still working on the security update for the DoS issue and the report for it came in after we had completed our testing cycle for MS06-040.

"With the importance and potential severity previously mentioned regarding MS06-040, we felt it was important to get the security update out as soon as possible. We'll continue working on the DoS issue and will release a security update once it's reached an appropriate level of quality," Stone concluded.

Microsoft took other steps to insure that the MS06-040 fix was in customers' hands as soon as possible. For the first time, the company admitted to prioritizing critical patches, and it used a new warning label when patches were delivered to users via Microsoft Update or Windows Update.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.