News
News
8/17/2006
02:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft To Fix Patch That Crashes IE

Despite the patch problems, Microsoft continues to urge people to apply the MS06-042 fixes, since they resolve a number of vulnerabilities.

Microsoft Corp. has confirmed that it will re-release a security bulletin issued last week because it's making some users' browsers crash when they visit certain sites.

The MS06-042 bulletin, which fixed 8 flaws in Internet Explorer 5.01 and 6, will be recrafted, then re-released next Tuesday, Aug. 22, a company security program manager said Wednesday.

"We've made an update to MS06-042 to let customers know of an issue they might see after applying the update to Internet Explorer 6 Service Pack 1 systems," wrote Mike Reavey, the operations manager of the Microsoft Security Response Center (MSRC), on the group's blog.

Users running IE 6 SP1 on Windows XP SP1 and Windows 2000 systems will watch their browsers crash when they visit sites that have both compression and the HTTP 1.1 protocol enabled.

Until MS06-042 is re-released, users can apply a Microsoft-made hotfix. However, it's not available for download; users must contact Microsoft's product support by telephone to request the hotfix.

Even though last week's patches may crash some users' copies of IE, Microsoft continued to urge everyone to apply the MS06-042 fixes. "Since [it] resolves a number of security vulnerabilities we recommend customers continue to deploy the update," said Reavey.

Users running IE 6 on systems powered by Windows XP SP2, Windows Server 2003, or Windows System 2003 SP1 are unaffected by the bug and will not need to re-deploy the patched patch next week.

The IE glitch wasn't the only problem with the Aug. 8 fixes that Microsoft has copped to. On Tuesday, it revised the MS06-040 bulletin to acknowledge that after installing the patch, programs which request a large amount of contiguous memory -- Microsoft Business Solutions' Navivision 3.70 was the example given -- may crash. The problem crops up only on systems running the 32-bit version of Windows Server 2003 SP1.

Microsoft has a hotfix for this bug as well; users must, however, phone support to obtain it.

The Redmond, Wash. developer also went out of its way to tell users that the fix in MS06-040 does not take care of another bug in the Server service which popped up earlier this month. That flaw, which when exploited generates a denial-of-service (Dos) on an unspecified range of Windows operating systems, is still on Microsoft's to-do list.

"Its [sic] important to distinguish that while MS06-040 addresses a vulnerability in the Server Service it does not resolve the Denial of Service issue I spoke about earlier," wrote MSRC program manager Adrian Stone last week on the team's blog. "We are still working on the security update for the DoS issue and the report for it came in after we had completed our testing cycle for MS06-040.

"With the importance and potential severity previously mentioned regarding MS06-040, we felt it was important to get the security update out as soon as possible. We'll continue working on the DoS issue and will release a security update once it's reached an appropriate level of quality," Stone concluded.

Microsoft took other steps to insure that the MS06-040 fix was in customers' hands as soon as possible. For the first time, the company admitted to prioritizing critical patches, and it used a new warning label when patches were delivered to users via Microsoft Update or Windows Update.

Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.