Update coming for IE 6.0 SP1 security vulnerability

[madmatt]

You may have read reports of a new, irresponsibly disclosed vulnerability that affects IE 6.0 SP1. We are aware of this issue and are actively working on an update that addresses the problem, which was introduced with our last security update (MS06-042). This issue only impacts customers running IE 6.0 SP1; customers running Windows XP SP2, Server 2003 SP1, IE 5.01 on Windows 2000, or any of the IE7 betas including Windows Vista are not affected. As far as we know, there are no active exploits at this time. The Microsoft Security Response Center (MSRC) has released security advisory 923762 with guidance for customers on this issue.

Briefly, after the initial release of MS06-042, we were responsibly informed of a potentially exploitable security vulnerability via a crash in urlmon.dll; we also started receiving reports of customers running into the crash during normal usage. As a result of the security and reliability impact of this bug, we decided not to wait for the next normally scheduled update. We had planned to release the update today, but last night we found an issue that would prevent some customers from being able to deploy the update. As a result, we decided to hold the release until it meets the appropriate level of quality for such a broad distribution.

We’ve been working hard to improve our update quality over the past few years and built a pretty comprehensive set of checks and balances in our engineering process to prevent mistakes like this. In fact, this will be the first re-release of an IE update in 2.5 years (MS04-004 was the last one). Unfortunately, we missed this issue, plain and simple. In parallel with making the right fix, we have been working through how we prevent similar mistakes from happening again. For instance, we have code-reviewed the past ten months of code check-ins from the developer responsible for this issue. We have also gone through all of our applicable engineering processes and tightened parts based on our learnings from this release. Finally, we are reconsidering our staffing and tools to allow us to scale better to our heavy load periods.

Across the company and the industry, we’ve seen how hard it is to ship updates in a timely way with high quality. We take responsibility for our mistakes by trying to minimize the customer impact and continually striving to learn from our experiences to do better next time. We will also continue to work with the security researcher community to encourage only responsible disclosure of security vulnerabilities. (You can read about some of the issues and challenges on this front on the MSRC blog.)

Source: Internet Explorer Team Blog

 

[madmatt]

There's more trouble with Microsoft's latest Internet Explorer patch: It introduces a serious new security flaw on some Windows systems.

The vulnerability could let miscreants hijack a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, Microsoft said in a security advisory published on Tuesday. The flaw lies in the way IE handles long Web addresses and could be exploited by luring users to specially crafted Web sites, according to the advisory.

"An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system," Microsoft said in its advisory. "We are not aware of attacks that try to use the reported vulnerability."

Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly patch cycle. The update, deemed "critical" by Microsoft, addresses eight flaws in the ubiquitous browser. It is one of a dozen security updates that Microsoft released this month on Patch Tuesday.

The company planned to release a new version of the MS06-042 update on Tuesday to fix a problem with browser crashes reported by some users after installing the original fix. That crash, it turns out, is the result of a "buffer overrun" flaw introduced by the security update, Microsoft said. The flaw could be exploited by cyberattackers.

Further compounding the troubles with the IE patch, Microsoft postponed the release of the updated fix at the eleventh hour because of an undisclosed problem discovered during testing, Stephen Toulouse, a Microsoft Security Response program manager, wrote on a corporate blog Tuesday.

"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse wrote, adding that the issue was discovered late Monday night.

As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless of their patching status. Microsoft advises users to install the patch and to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the browser.

The security issue does not impact other versions of IE, such as the version in Windows XP with SP2 or on Windows Server 2003, Microsoft said.

This is not the only patch Microsoft issued this month that is causing trouble. On Thursday, the company released a "hotfix" for a fault in security patch MS06-040. The fix addresses the problem of programs failing if they request one gigabyte or more of information on a patched system.

An update to the MS06-042 update is still in the works, but Microsoft could not say when it would be ready.

Source: CNET News.com

 

[Perris Calderon]

why are they still supporting sp1?

is there some compatablity issue with sp1 to justify not installing it?

 

[madmatt]

Windows 2000 (Professional and Server) only runs (up to) IE6 SP1. There will not be any new features for Windows 2000.

 

[Perris Calderon]

Windows 2000 (Professional and Server) only runs (up to) IE6 SP1. There will not be any new features for Windows 2000.

got it