Microsoft replaces bug-filled patch

Share this article:

Microsoft today re-released a patch to replace a bug-filled fix that caused some applications to crash when users installed it beside Internet Explorer (IE) 6.0 Service Pack (SP)1 in conjunction with HTTP 1.1.

Redmond's security experts now hope the corrected patch will successfully solve the MS06-042 vulnerability that could lead to remote code execution caused by long URL buffer overflow.

The original patch was released Aug. 8, along with 11 other patches. But within a few days of the release, users started noticing unexpected web browser crashes, Marc Maiffret, co-founder and CTO of eEye Digital Security, has said.

"We are now urging IE 6.0 SP1 customers to go ahead and deploy this revised update as soon as possible," Mike Reavey, program manager of the Microsoft Security Response Center, said today on a company blog.

Reavey defended Microsoft's decision to delay the patch's release.

Microsoft held off on releasing the updated fix due to technology concerns in deployment tools, such as the Microsoft Baseline Security Analyzer (MBSA) and the Inventory Tool for Microsoft Updates (ITMU), which are used by customers running IE on Windows 2000, Reavey said.

"That would have meant that a significant portion of customers would have been unable to deploy the update if we had tired to release it on Aug. 22 as originally stated," he said. "This is very important. Because while some customers still using (IE 6.0 SP1) do utilize other detection and deployment technologies, a large portion still rely on the deployment technologies like MBSA and ITMU due to their support of older products and infrastructures."

Click here to email reporter Dan Kaplan.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

PHP vulnerabilities patched

Developers patched multiple vulnerabilities in PHP that would have allowed remote code execution.

Pennyslvania man sentenced after 'swatting' prank

Pennyslvania man sentenced after 'swatting' prank

David Barnhouse was sentenced to 18 months in prison after he hacked into a neighbor's Verizon FiOS router to post a bomb threat on a Pennsylvania mall's website.

Cisco announces winners of Security Grand Challenge

Cisco unveiled the winners of three Security Grand Challenges and announced a fourth challenge, aimed at women.