Update: Microsoft Thursday
released a long-awaited patch to correct a vulnerability caused
by its
Aug. 8 Internet Explorer patch. The company originally planned
to release the new patch Tuesday but delayed the rollout. Sources
have said the delay was caused by interoperability problems related
to Microsoft's Systems Management Server.
The Internet Explorer patch that Microsoft released earlier this
month not only caused the browser to crash on many machines, but
also produced an exploitable condition in IE that is currently
unpatched.
The
Internet Explorer heap overflow vulnerability enables an
attacker to gain control of a PC by enticing users to click on a
malicious link in an email or visit a malicious Web site. The flaw
is exploitable on machines that are running IE 6 with Service Pack
1 (SP1) installed and is only an issue on sites that use
compression, said Marc Maiffret, chief hacking officer at eEye
Digital Security Inc. in Aliso Viejo, Calif.
Microsoft, of Redmond, Wash., had acknowledged that the original
MS06-042 patch causes IE to crash on some machines, and late
Tuesday informed customers that the condition can be exploited.
However, a Microsoft spokesman said the company abandoned plans
to release a new patch on Tuesday because of issues discovered
during the testing process. The company did however post an
advisory on its TechNet site notifying customers that the patch
would be delayed.
The advisory said the Microsoft was "aggressively investigating"
the reports but did not say when the new fix might be available for
customers.
Maiffret said that eEye informed Microsoft on Aug. 17 about the
exploitable condition, and he said other research companies have
notified Microsoft of the problem as well. A day earlier, Microsoft
posted a message about the crashes on the Microsoft Security
Response Center blog and subsequently created a Knowledge Base
article, providing customers with a link through which they can
request a hotfix from Microsoft Product Support Services.
Maiffret criticized Microsoft for not providing its customers
with more timely information.
"The thing that's crazy to me is that they either knowingly left
people vulnerable or just blew it," Maiffret said. "You know the
bad guys saw this like anybody else. [Microsoft hasn't] warned
anybody. [The vulnerability] is pretty easy to find."
eEye published an advisory
about the problem Tuesday.
The original MS06-042 fix is a cumulative update for IE that
includes patches for eight separate flaws. Microsoft and other
experts had recommend that users install the original fix until the
updated one is available.