Microsoft has postponed the release of an updated version of a critical security patch that was found to crash the Internet Explorer browser, despite admitting that the crash was “exploitable”.
The software giant released its MS06-042 security update earlier this month to fix a bug that could let hackers use the Internet Explorer browser to take over users’ machines.
But Microsoft was later forced to issue an advisory admitting that the patch could crash the browser when some websites are visited. The problem affects IE 6 with Service Pack 1 on Windows XP and Windows 2000 systems.
It pledged to re-release the patch on 22 August. But in a post on Microsoft’s security response centre blog, security programme manager Stephen Toulouse said, “Late last night we discovered an issue that led us to the difficult but necessary decision to not release this update today. Providing the update in its current state would have resulted in customers being unable to deploy the update.”
The post did not give a new date for the release.
Toulouse added that independent security researchers had warned Microsoft that the crash was exploitable – and that this knowledge had been made public.
No attacks exploiting the vulnerability had been seen, but Microsoft admitted there was “certainly increased risk of attack”. The company has issued a security advisory detailing workarounds until a new version of the patch is released.
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats