Microsoft replaces bug-filled patch

Share this article:

Microsoft today re-released a patch to replace a bug-filled fix that caused some applications to crash when users installed it beside Internet Explorer (IE) 6.0 Service Pack (SP)1 in conjunction with HTTP 1.1.

Redmond's security experts now hope the corrected patch will successfully solve the MS06-042 vulnerability that could lead to remote code execution caused by long URL buffer overflow.

The original patch was released Aug. 8, along with 11 other patches. But within a few days of the release, users started noticing unexpected web browser crashes, Marc Maiffret, co-founder and CTO of eEye Digital Security, has said.

"We are now urging IE 6.0 SP1 customers to go ahead and deploy this revised update as soon as possible," Mike Reavey, program manager of the Microsoft Security Response Center, said today on a company blog.

Reavey defended Microsoft's decision to delay the patch's release.

Microsoft held off on releasing the updated fix due to technology concerns in deployment tools, such as the Microsoft Baseline Security Analyzer (MBSA) and the Inventory Tool for Microsoft Updates (ITMU), which are used by customers running IE on Windows 2000, Reavey said.

"That would have meant that a significant portion of customers would have been unable to deploy the update if we had tired to release it on Aug. 22 as originally stated," he said. "This is very important. Because while some customers still using (IE 6.0 SP1) do utilize other detection and deployment technologies, a large portion still rely on the deployment technologies like MBSA and ITMU due to their support of older products and infrastructures."

Click here to email reporter Dan Kaplan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.