The Internet Explorer patch that Microsoft released earlier this month not only caused the browser to crash on many machines, but also produced an exploitable condition in IE that is currently unpatched.
The Internet Explorer heap overflow vulnerability enables an attacker to gain control of a PC by enticing users to click on a malicious link in an email or visit a malicious Web site. The flaw is exploitable on machines that are running IE 6 with Service Pack 1 (SP1) installed and is only an issue on sites that use compression, said Marc Maiffret, chief hacking officer at eEye Digital Security Inc. in Aliso Viejo, Calif.
Microsoft, of Redmond, Wash., had acknowledged that the original MS06-042 patch causes IE to crash on some machines, and late Tuesday informed customers that the condition can be exploited.
However, a Microsoft spokesman said the company abandoned plans to release a new patch on Tuesday because of issues discovered during the testing process. The company did however post an advisory on its TechNet site notifying customers that the patch would be delayed.
The advisory said the Microsoft was "aggressively investigating" the reports but did not say when the new fix might be available for customers.
Maiffret said that eEye informed Microsoft on Aug. 17 about the exploitable condition, and he said other research companies have notified Microsoft of the problem as well. A day earlier, Microsoft posted a message about the crashes on the Microsoft Security Response Center blog and subsequently created a Knowledge Base article, providing customers with a link through which they can request a hotfix from Microsoft Product Support Services.
Maiffret criticized Microsoft for not providing its customers with more timely information.
"The thing that's crazy to me is that they either knowingly left people vulnerable or just blew it," Maiffret said. "You know the bad guys saw this like anybody else. [Microsoft hasn't] warned anybody. [The vulnerability] is pretty easy to find."
eEye published an advisory about the problem Tuesday.
The original MS06-042 fix is a cumulative update for IE that includes patches for eight separate flaws. Microsoft and other experts had recommend that users install the original fix until the updated one is available.