- Is Microsoft preparing us to move beyond Vista?
- Why Google wanted to lose wireless spectrum auction
- iPhone shortage fuels rumors of imminent 3G phone
- XP for cheap PCs: a second crack in the wall
- Darts into data: Leveraging random action to competitive advantage
- Most iPhone buyers are existing Apple customers
- AT&T's so-called open network principles
- Mono dev tool offered
- ActiveState upgrades IDE
- Serena plans SaaS products
September 12, 2006 | Comments: (0)
Three's a charm for MS06-042?
It's patch Tuesday again, and Microsoft's hoping three's a charm for its wayward Cumulative IE patch, MS06-042.
The company quietly re-released (actually re-re-released) 042 today to fix yet another security hole introduced by the software update. MS06-042 wasn't listed among the new fixes in the September patch release, but the company pushed out an update fixing the new hole, according to the company's Web page.
Meet the new patch. Same as the old patch.
According to Microsoft's security bulletin, the IE patch was updated September 12 to fix another remote code execution vulnerability in IE's handling of long URLs from Websites using HTTP 1.1 protocol and compression. That's almost identical to the problem introduced in the original version of the patch, then discovered by security researchers at eEye Digital Security.
Come Back to the Five and Dime, Stevie T.
Microsoft's inability to nail down the Long URL problem raises questions about the performance of the MSRC, which had gained a solid reputation for patch testing and distribution in recent years. With Vista nearing completion, the ranks are shifting within Microsoft's security Technology Unit (STU). Long time STU VP Mike Nash went on sabbatical in June after four years at the helm. More recently, MSRC program manager Stephen Toulouse announced that he was shifting his energies from security response to Vista's security features.
"There seems to have been a lot of management execution problems at Microsoft over this Internet Explorer MS06-042 patch," said Marc Maiffret, the Chief Hacking Officer at eEYE. "They have now re-released it a second time and again only because indepdent third party researchers told them about it. Hopefully this is not a sign of some downswing, lack of focus, on their Trustworthy Computing initiative."
Posted by Paul Roberts on September 12, 2006 12:50 PM
RATE THIS ARTICLE:
-
- COMMENTS
QUESTION: why in the hell is microsoft updating the security bullentin and saying to download the newest update at the link provided on the security bulletin and when u download the latest version of this patch update its the file contents read with winrar before extracted or installed have the same gosh dam file dates as the first dam patch released in august? meaning in lamens terms: they have not put a link on there gosh dam security bullentin to the LATEST dam patch file?? why is this? email me please and tell microsoft someone.. give me kudos for knowing this!
Posted by: joseph at September 13, 2006 01:39 AMAfter three months of being pounded with some of the largest Microsoft patch cycles, it looks as though they're providing us with a breather. Don't get too comfortable though, researchers seem to have plenty of Microsoft content in their queue. Look no further than the 7 pending advisories in the ZDI queue - http://www.zerodayinitiative.com/upcoming_advisories.html for proof of that. I've made the following blog post discussing my thoughts on this months Microsoft patches - http://portal.spidynamics.com/blogs/msutton/.
Posted by: Michael Sutton at September 13, 2006 07:37 AMI run an oscommerce based website with gzip compression. After the patch from Microsoft some of my customers with sp2 can't complete the checkout any more as it takes a long time to proceeed. The only way is either refresh the page or clear the http settings in IE. I tested it myself with the very latest patch with sp2. Even though Microsoft claims that the sp2 wasn't affected I can see it doesn't work. As soon as i remove the patch then it works fine. So it makes me wonder how much testing goes in to it before they release a patch ?????
Posted by: Jay at September 25, 2006 08:58 AMTOP STORIES
ADDITIONAL RESOURCES
- Do you have the power to resolve technical issues with one call?
- Take control of your content- leverage Microsoft SharePoint
- Keeping the E-Mail Flowing
- SGI Adaptive Data Warehouse: Building a High-End Oracle Data Warehouse
- Five Steps to Secure Outsourced Application Development
- Global Shared Memory: Performance and Productivity Breakthroughs
