Microsoft Repatches Repatch, Issues Third Fix For IE Flaws - InformationWeek
03:00 PM

Microsoft Repatches Repatch, Issues Third Fix For IE Flaws

"This update cycle has not been an example of our best work," admitted Tony Chor, group program manager for Internet Explorer, in an entry on the team's blog.

Among the patches posted Tuesday by Microsoft Corp. in its regular monthly release was a re-repatch of a fix for Internet Explorer that had already been pushed to users twice.

The Tuesday re-release of MS06-042, which debuted Aug. 8, included fixes for 10 vulnerabilities -- two more than in the original -- because of yet another bug uncovered by eEye Digital Security, a California-based company that was blasted last month by Microsoft for not abiding by its unwritten vulnerability disclosure rules.

The newly-patched bug in IE was reported by eEye to Microsoft Aug. 24, the same day that the Redmond, Wash.-based developer issued its first re-release of MS06-042 to fix another flaw it had overlooked. This second bug, said eEye in an online advisory, is "almost identical" to the vulnerability it spotted in August. Like that flaw, the new problem is in how IE handles long URLs when users visit sites that have applied both compression and the HTTP 1.1 protocol.

Although Microsoft didn't use the term, the just-fixed vulnerability was a "regression," a bug not present earlier but introduced by an error in the patch.

"This update cycle has not been an example of our best work," admitted Tony Chor, group program manager for Internet Explorer, in an entry on the team's blog.

Last month, Microsoft attacked eEye Digital's chief hacking officer, Marc Maiffret, for what it called "irresponsible disclosure" of the original long URL bug. Maiffret struck back by pointing out that Microsoft released far more information on the company's security blog than he had in his warning.

At the time, Chor promised that Microsoft would take steps to prevent similar mistakes and would review the last 10 months of code check-ins by the developer responsible for the error. Tuesday, he only said that "this release and the need for subsequent re-releases have certainly been a learning experience for us."

A third strike on a security update is unusual, said Eric Schultze, the chief security architect at patch manager developer Shavlik. "I can remember only one or two since 2000," said Schultze.

"This was a case of damned if you do, damned if you don't," he added. Users who applied the second iteration of MS06-042 may have fixed one flaw, but left themselves open to this newest bug. Anyone who avoided the just-patched vulnerability by not applying the Aug. 24 version of MS06-042 was at risk from the first long URL flaw.

"We saw enterprises scramble to deploy the first [MS06-042] because it was Critical," Schultze said. "Companies next scrambled to get the private patch from Microsoft, which is what became the fix for [MS06-042] number two. Everyone scrambled for that, and now we're all scrambling to get number three. This kind of thing takes a lot of time and effort."

In a side note, Microsoft returned eEye Digital Security's name to the credit list of MS06-042 when it re-released the bulletin Tuesday. After the August, brouhaha, the company removed eEye from the Acknowledgements section, where it thanks vendors and researchers for reporting bugs to the company.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2017 State of IT Report
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll