Microsoft replaces bug-filled patch
Microsoft today re-released a patch to replace a bug-filled fix that caused some applications to crash when users installed it beside Internet Explorer (IE) 6.0 Service Pack (SP)1 in conjunction with HTTP 1.1.
Redmond's security experts now hope the corrected patch will successfully solve the MS06-042 vulnerability that could lead to remote code execution caused by long URL buffer overflow.
The original patch was released Aug. 8, along with 11 other patches. But within a few days of the release, users started noticing unexpected web browser crashes, Marc Maiffret, co-founder and CTO of eEye Digital Security, has said.
"We are now urging IE 6.0 SP1 customers to go ahead and deploy this revised update as soon as possible," Mike Reavey, program manager of the Microsoft Security Response Center, said today on a company blog.
Reavey defended Microsoft's decision to delay the patch's release.
Microsoft held off on releasing the updated fix due to technology concerns in deployment tools, such as the Microsoft Baseline Security Analyzer (MBSA) and the Inventory Tool for Microsoft Updates (ITMU), which are used by customers running IE on Windows 2000, Reavey said.
"That would have meant that a significant portion of customers would have been unable to deploy the update if we had tired to release it on Aug. 22 as originally stated," he said. "This is very important. Because while some customers still using (IE 6.0 SP1) do utilize other detection and deployment technologies, a large portion still rely on the deployment technologies like MBSA and ITMU due to their support of older products and infrastructures."