Microsoft Nixes IE Repatch, Chides Researcher

"One of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform," wrote Toulouse on the MSRC blog late Tuesday. That, said Toulouse, forced Microsoft's hand into outlining the actual severity of the flaw. Tuesday, it posted an advisory that described the issue and provided some defensive tactics users can take until a patch is released.

eEye's Maiffret didn't hesitate to defend his company's actions. "We haven't put any kind of details in our alert," he said. "But Microsoft tells everyone exactly where the bug is." Microsoft's advisory noted that long URLs to sites using HTTP 1.1 and compression are at fault, while Chor's blog mentioned the urlmon.dll file.

"You just told everyone what to look for," Maiffret said. "How many times are you gonna mess up on this one?"

Microsoft and researchers have frequently clashed over what is, or isn't "responsible" disclosure. But this was a first for Maiffret. "I wouldn't have done anything different," he said, pointing out that both security researchers and exploit writers knew that the IE 6 SP1 bug was exploitable. The only people who didn't have the facts were IT administrators, and they are the ones who needed them to make informed decisions, Maiffret argued. "They need the truth[but]Microsoft had effectively been lying to them since the 10th or the 11th by saying it only crashed IE."

Everyone makes mistakes, Maiffret said, but differences are displayed by how companies own up to errors. "This whole thing turned into some kind of marketing thing," he said. "Microsoft was embarrassed and lashed out.

"The bug shouldn't have made it past original QA, that was mistake number one," he said. "Two, they introduced an error in the patch, and three, they tried to hide it. Finally, number four, they were the ones to release in their advisory the information attackers needed. They're the ones pointing the way, not us."

The only thing eEye and Microsoft agreed on was what users could do to defend their systems against a possible exploit. Microsoft recommended users disable the HTTP 1.1 protocol by selecting Tools|Internet Options|Advanced, then unchecking "Use HTTP 1.1" and "Use HTTP 1.1 through proxy connections" boxes before clicking "OK."

eEye followed suit in its advisory, but also told users "the best way to protect your XP systems is to upgrade to Windows XP SP2 as it is protect against this vulnerability. Support for XP SP1 ends in October and there are huge security benefits to XP SP2."

Microsoft has not committed to a new release date for a revised MS06-042 patch.