- Is Microsoft preparing us to move beyond Vista?
- Why Google wanted to lose wireless spectrum auction
- iPhone shortage fuels rumors of imminent 3G phone
- XP for cheap PCs: a second crack in the wall
- Darts into data: Leveraging random action to competitive advantage
- Most iPhone buyers are existing Apple customers
- AT&T's so-called open network principles
- Mono dev tool offered
- ActiveState upgrades IDE
- Serena plans SaaS products
August 22, 2006 | Comments: (0)
Does new MS patch need mending?
Security research firm eEYE Digital Security is warning Microsoft customers that a recent patch, MS06-042, actually opened a new, remotely exploitable hole in the operating system, even while it patched other holes in the Internet Explorer Web browser.
According to eEYE Chief Hacking Officer Marc Maiffret, 042, a cumulative security update for IE, introduced a new exploitable vulnerability on Windows XP Service Pack 1 and IE 6.0. If you've forgotten already, that's the patch that caused IE browsers to crash when viewing certain Web sites that use data compression and Web coding standard, HTTP 1.1.
Microsoft has not yet responded to Maiffret and eEye's claims, and it was unclear Tuesday afternoon whether or not the new patch introduced a new security hole in XP systems.
Microsoft issued a hotfix on August 11 that fixed the crashes. The company promised a revised patch for the problem by August 22 (today) to be distributed through the Microsoft Download Center and Windows Update. The company has not, so far, warned customers about any exploitable hole introduced by the patch on XP SP1 systems.
Microsoft was looking into the eEYE claims, a spokeswoman told TechWatch.
But Maiffret said the hole isn't hard to spot. He described it as a buffer overflow that is triggered when Web sites send large amounts of compressed data to vulnerable instances of IE on XP SP1 systems that have applied the 042 patch.
Maiffret worries that customers using XP SP1 might be inclined to ignore the hotfix, leaving their systems open to compromise. The company issued a warning to its customers Tuesday afternoon.
Companies that have applied the MS06-042 patch to fix a host of IE vulnerabilities can work around the crash problem by disabling HTTP 1.1 support on IE 6, according to Microsoft. To do that:
1) On the Tools menu, click Internet Options, and then click the Advanced tab.
2) In the Settings box, click to clear the Use HTTP 1.1 check box under HTTP 1.1 settings, and then click OK.
To be continued...
Posted by Paul Roberts on August 22, 2006 11:59 AM
RATE THIS ARTICLE:
-
- COMMENTS
TOP STORIES
ADDITIONAL RESOURCES
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Keeping the E-Mail Flowing
- Flexible, Scalable, Enterprise Storage for Virtual Infrastructures
- Virtual Servers Meet Virtual Storage
- Four Steps to Disaster Recovery and Business Continuity Using iSCSI
