Microsoft has postponed the release of an updated
version of a critical security patch that was found to crash the
Internet Explorer browser, despite admitting that the crash was
“exploitable”.
The software giant released its MS06-042 security update earlier
this month to fix a bug that could let hackers use the Internet
Explorer browser to take over users’ machines.
But Microsoft was later forced to issue an advisory admitting
that the patch could crash the browser when some websites are
visited. The problem affects IE 6 with Service Pack 1 on Windows XP
and Windows 2000 systems.
It pledged to re-release the patch on 22 August. But in a post
on Microsoft’s security response centre blog, security programme
manager Stephen Toulouse said, “Late last night we discovered an
issue that led us to the difficult but necessary decision to not
release this update today. Providing the update in its current
state would have resulted in customers being unable to deploy the
update.”
The post did not give a new date for the release.
Toulouse added that independent security researchers had warned
Microsoft that the crash was exploitable – and that this knowledge
had been made public.
No attacks exploiting the vulnerability had been seen, but
Microsoft admitted there was “certainly increased risk of attack”.
The company has issued a security advisory detailing workarounds
until a new version of the patch is released.
Vote for your IT greats
Who have been the most influential people in IT in the past 40
years? The greatest organisations? The best hardware and software
technologies? As part of Computer Weekly’s 40th anniversary
celebrations, we are asking our readers who and what has really
made a difference?
Vote now at:
www.computerweekly.com/ITgreats