On CBSNews.com: Who is SARAH PALIN?
BNET Business Network:
BNET
TechRepublic
ZDNet
143 TalkBacks

By Joris Evers
Posted on ZDNet News: Aug 23, 2006 12:41:00 AM

There's more trouble with Microsoft's latest Internet Explorer patch: It introduces a serious new security flaw on some Windows systems.

The vulnerability could let miscreants hijack a Windows PC running IE 6 with Service Pack 1 and the MS06-042 update installed, Microsoft said in a security advisory published on Tuesday. The flaw lies in the way IE handles long Web addresses and could be exploited by luring users to specially crafted Web sites, according to the advisory.

"An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system," Microsoft said in its advisory. "We are not aware of attacks that try to use the reported vulnerability."

Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly patch cycle. The update, deemed "critical" by Microsoft, addresses eight flaws in the ubiquitous browser. It is one of a dozen security updates that Microsoft released this month on Patch Tuesday.

The company planned to release a new version of the MS06-042 update on Tuesday to fix a problem with browser crashes reported by some users after installing the original fix. That crash, it turns out, is the result of a "buffer overrun" flaw introduced by the security update, Microsoft said. The flaw could be exploited by cyberattackers.

Further compounding the troubles with the IE patch, Microsoft postponed the release of the updated fix at the eleventh hour because of an undisclosed problem discovered during testing, Stephen Toulouse, a Microsoft Security Response program manager, wrote on a corporate blog Tuesday.

"Providing the update in its current state would have resulted in customers being unable to deploy the update," Toulouse wrote, adding that the issue was discovered late Monday night.

As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless of their patching status. Microsoft advises users to install the patch and to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the browser.

The security issue does not impact other versions of IE, such as the version in Windows XP with SP2 or on Windows Server 2003, Microsoft said.

This is not the only patch Microsoft issued this month that is causing trouble. On Thursday, the company released a "hotfix" for a fault in security patch MS06-040. The fix addresses the problem of programs failing if they request one gigabyte or more of information on a patched system.

An update to the MS06-042 update is still in the works, but Microsoft could not say when it would be ready.

  • Talkback
  • Most Recent of 143 Talkback(s)
Microsoft personnel
So they used a bandaid that couldn't work. I see these people on the 'breaking edge' of an iceberg heading into hot water with all kinds of strange new things in it--and the parameters of the iceberg... (Read the rest)
Posted by: m_starkey@... Posted on: 09/27/06 You are currently: Logged In | Log out
O'Damn , again Intellihence   | 08/22/06
Here I come to save the day! =-) Shelendrea   | 08/24/06
How about they stop using SP1? georgeou   | 08/22/06
How about they format their hard drives and install Linux , Intellihence   | 08/22/06
How about not using Linux and just install SP2 on WinXP rh0   | 08/22/06
ZDNET is a subsidy of CNET , CNET sure uses alot of Linux OSs and Servers . Intellihence   | 08/22/06
Don't confuse what they use for a web server ... ShadeTree   | 08/23/06
So ispell and aspell don't exist... nmbooker   | 08/23/06
Yes it has to be ZDnet has The Most Lame Programmers IceTheNet@...   | 08/23/06
CNET Networks is in the business of making money . Intellihence   | 08/23/06
From the MS Shill Manual ... LoCal   | 08/23/06
Not really mypl8s4u2   | 08/23/06
Strange world when... cglrcng@...   | 08/23/06
OS/2, baby... tim@...   | 08/23/06
I Like soooo envy you, like ya know ;) Hrothgar - PCLinuxOS User   | 08/23/06
IE is the problem zoroaster   | 08/23/06
George does any of this look familiar ? Intellihence   | 08/22/06
How many times are you going to post this? John E Wahd   | 08/23/06
As many times as I want , NIMROD . Intellihence   | 08/23/06
Re: How about they stop using SP1? Scream   | 08/22/06
They do support SP1, it's called SP2 :) georgeou   | 08/24/06
Unfortunately, not everyone can use SP2 Monkey_MCSE   | 08/22/06
Well! Ha! Boy oh boy! Cayble   | 08/22/06
You sir, are a fool StevoCJ   | 08/23/06
Care to name one that doesn't? ShadeTree   | 08/23/06
Enlighten Foolio! IceTheNet@...   | 08/23/06
You obviously are lost in the wilderness Cayble   | 08/23/06
Bushit! cglrcng@...   | 08/23/06
Gayble why is it you care what I do so much? IceTheNet@...   | 08/24/06
cglrcng what about bush? IceTheNet@...   | 08/24/06
Look palsy, learn how to read Cayble   | 08/23/06
I'll correct you on this one... mdsmedia   | 08/23/06
At last, someone with a brain dev-null   | 08/23/06
MS WINDOWS WHINERS...U HEARD ME elliottxp   | 08/23/06
Who cares about Linux Compatablility. IceTheNet@...   | 08/23/06
love it!! pcgenie   | 08/23/06
hmm nice rant... Monkey_MCSE   | 08/23/06
I am sure htotten   | 08/23/06
When you own your own business Monkey_MCSE   | 08/23/06
Just harrassing you htotten   | 08/23/06
The real problem is htotten   | 08/23/06
Guess I should have mentioned... Monkey_MCSE   | 08/23/06
If that is the case then.... htotten   | 08/23/06
NO where did i blame MS... Monkey_MCSE   | 08/23/06
Agreed. htotten   | 08/23/06
Ah! I see what you are saying now... Cayble   | 08/23/06
Interesting.... TheHonestTruth   | 08/23/06
"I'm not the App Writer" ddagolfr   | 08/23/06
RE: The real problem is richdave   | 08/23/06
partly right zoroaster   | 08/23/06
The real problem is handydan918   | 08/23/06
The real problem is j.dupont   | 08/23/06
You have to understand the realities of... BitTwiddler   | 08/23/06
The size of the corporation has nothing ... ShadeTree   | 08/23/06
ShadeTree has his ... TheHonestTruth   | 08/23/06
How about they stop using IE6 instead? (NT) Letophoro   | 08/23/06
George - no enterprise experience Chad_z   | 08/23/06
It is even clearer you have less ... ShadeTree   | 08/23/06
I've ran into several pc's that won't run right with sp2 zmud   | 08/23/06
Those boxes that short on RAM cglrcng@...   | 08/23/06
Lol, I wish zmud   | 08/23/06
The problem I see is always this zmud   | 08/23/06
Never worked for a large company, I see the_doge   | 08/23/06
Just curious maldain   | 08/23/06
SOunds like forced upgrade to me... techboy_z   | 08/23/06
If SP2 worked, many would TripleII   | 08/23/06
Thanks,Triplell blackiebarbie@...   | 08/23/06
An idea TripleII   | 08/23/06
I was thinking about doing that... blackiebarbie@...   | 08/23/06
Rio yes, Sau Paulo, not so much TripleII   | 08/23/06
Good news TripleII   | 08/23/06
Obrigado! blackiebarbie@...   | 08/23/06
Then they call me... cglrcng@...   | 08/23/06
how about you stop using windows IceTheNet@...   | 08/23/06
What? rick752   | 08/22/06
Don't speak in such a manner , you may be called a troll . Intellihence   | 08/22/06
In a world without walls and fences , who needs windows and gates?? Cayble   | 08/22/06
Oh dear, you really don't get it StevoCJ   | 08/23/06
Bad metaphor RocketEater   | 08/23/06
Good metaphor , bad metaphor , the point still comes across to mind Intellihence   | 08/23/06
True... RocketEater   | 08/23/06
Jobs and Penguins trm1945   | 08/23/06
IE patch carries security bug Loverock Davidson   | 08/22/06
wha, wha, WHAT??? dbrimlow   | 08/23/06
My sentiments exactly... nmbooker   | 08/23/06
i agree not of this world   | 08/23/06
errr... Loverock is a troll barsteward   | 08/23/06
Ever notice its the trolls calling other people trolls? (NT) Loverock Davidson   | 08/23/06
In your infinite wisdom Hrothgar - PCLinuxOS User   | 08/23/06
alternatives Mnighthawk   | 08/22/06
How about a class action lawsuit against MICROSUCKS ? realitycheck101   | 08/22/06
Most birdofire@...   | 08/23/06
microschoft sjoerdvvu@...   | 08/23/06
Remember Microsofts servers couldn't handle the load Intellihence   | 08/23/06
SO OLD! insureit   | 08/23/06
Why should I??? mdsmedia   | 08/23/06
Its more like MicroClowns troubled241   | 08/23/06
the only problem with that... nix_hed   | 08/23/06
Re: How about a class action lawsuit against MICROSUCKS ? jigan.shah@...   | 08/24/06
Re: How about a class action lawsuit against MICROSUCKS ? jigan.shah@...   | 08/24/06
Maybe a real Reality Check is in order A.Typical Zork   | 08/23/06
Hmm, I like this, Krazyken39   | 08/23/06
Where Microsoft is guilty... Resuna   | 08/23/06
And they want to help Firefox? davidr69   | 08/23/06
helping firefox? sjoerdvvu@...   | 08/23/06
Re Microsofts' latest security fopas chris.copp@...   | 08/23/06
there will always be bugs zoroaster   | 08/23/06
Microsoft's Mentally Ill Mission dick214@...   | 08/23/06
Microsoft Needs to Get It Together prwexler@...   | 08/23/06
BLobz joel@...   | 08/23/06
"miscreants hijack a Windows PC"...Darn lies!! NoPumpGas   | 08/23/06
George , George , George there are alot of unhappy Windows users in here. Intellihence   | 08/23/06
Why I no longer do Windows Support slim-01   | 08/23/06
IE patch johnfalky@...   | 08/23/06
Just once.... john_galt@...   | 08/23/06
Gates tires were great! cglrcng@...   | 08/23/06
Message has been deleted. Biggus Dickus   | 08/23/06
mac elitists RULE nix_hed   | 08/23/06
A point to consider trm1945   | 08/23/06
Cut the Crap moorew   | 08/23/06
Most certainly 999ad@...   | 08/23/06
Ahh, the party is SO over for Microsoft 999ad@...   | 08/23/06
SP 1 Bobby Joe Reed   | 08/23/06
Because it's Windows... mdsmedia   | 08/23/06
MS, that's what you get with you Boot_Agnostic   | 08/23/06
Message has been deleted. Reverend MacFellow   | 08/23/06
I shall continue to preach! Reverend MacFellow   | 08/24/06
Patch woes not only problem Chad_z   | 08/23/06
Microsoft richardverslues2006@...   | 08/23/06
What the??##@!@ judyndoug   | 08/23/06
Dang programmers, full of SH*T mypl8s4u2   | 08/23/06
Another IE buffer overrun problem WiredGuy   | 08/23/06
Patch, Patch, and Repatch. Mr. Roboto   | 08/23/06
Re: harrisharris   | 08/23/06
M$ dribbleware rmccord743@...   | 08/23/06
Hey, MS: How about doing it right the 1st time? Reverend MacFellow   | 08/24/06
You do mean this only in the context of MS Boot_Agnostic   | 08/24/06
and Who Else? mschore@...   | 08/29/06
Microsoft Update ceegee162000@...   | 08/24/06
Who honestly did not see this coming? Shelendrea   | 08/24/06
Gayble why do you care what I do so much? IceTheNet@...   | 08/24/06
You're Missing the Point mschore@...   | 08/29/06
Microsoft personnel m_starkey@...   | 09/27/06

What do you think?

advertisement
advertisement