Patch/Configuration Management, Vulnerability Management

Microsoft delays patch re-release; MS patch contains new flaw, says researcher

Microsoft announced - counter to its announcement last week - it will not release a formal fix for its MS06-042 patch today, resulting in the company telling the security community that IT administrators should find a workaround to deal with a vulnerability caused by the existing patch.

The re-released MS06-042 update was supposed to resolve a bug in the patch that could cause an application to stop responding when installed alongside Internet Explorer 6.0 Service Pack 1 in conjunction with HTTP 1.1.

Security researchers began prodding Microsoft to mend the problem when they found that not only did it cause crashing problems, it was also posing a security risk for users

"Within a few days of the patch coming out, people started experiencing a lot of different web browser crashes," said Marc Maiffret, eEye Digital Security co-founder and CTO. "Researchers understand that most of the times when there is a crash happening, it's usually because there's a security vulnerability."

Microsoft released a dozen patches earlier this month as part of its regular Patch Tuesday cycle.  

Maiffret said that when he and his researchers contacted Microsoft, they were told that the security hole would be solved today.

But a Microsoft spokesperson said the company has decided to hold off on the re-release due to an "issue discovered in final testing that impacts a customer's ability to broadly deploy the update."

Maiffret disagreed with Microsoft's decision to delay the release. He said that the issue was too minor to hold up such an important vulnerability fix — the reason eEye decided to publicly disclose the problem.

"We didn't release an advisory, which would have technical details," he said. "We only released an alert, which doesn't say anything more than what you would read on the Microsoft site about the crash — except for calling it a crash, we told the truth, which was that it is exploitable."

Predictably, Microsoft expressed dismay at eEye's decision to go public with the information.

"Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform," wrote Stephen Toulouse, security program manager for Microsoft's Security Response Center. "Up until now, we have not seen any attacks using this vulnerability, nor have we seen broad awareness of this vulnerability. Since the exploitability of this is public now however, there is certainly increased risk of attack."

Maiffret disagreed with Toulouse's argument, explaining that his company wanted to get the truth out so that IT administrators will understand the true extent of the problem and deal with it accordingly.

"The bad guys have already figured this out," Maiffret said. "eEye is not super-amazing in that we were able to figure this out. The problem is that the IT world has been told this is a crashing problem and it's been talked about all over, people just don't know what they're really talking about."

While Microsoft hasn't released an official re-release of the patch, there is an interim patch available through Microsoft's Product Support Services by calling 866-PCSAFETY.

"There is a patch, there is a workaround, there are a lot of things you can do as a business," Maiffret said. "We just wanted to be sure to alert people."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.