By Ryan Naraine
August 22, 2006
On the same day Microsoft is expected to re-release an Internet Explorer
security update, a private security research outfit is warning that the
original patch actually introduced an exploitable vulnerability.
The new warning comes less than a week after Microsoft offered a private
hotfix for the browser because of a glitch that caused unexpected
However, according to an advisory from eEye Digital Security, the
browser crash could cause a "high risk" buffer overflow that could lead
to code execution attacks.
"After investigating and confirming that indeed this is an exploitable
condition, we are alerting people to the true severity of these
'crashing' problems that people are experiencing, so that they can take
the appropriate mitigation steps as need be," said Marc Maiffret, chief
hacking officer at eEye, in Aliso Viejo, Calif.
Microsoft confirmed eEye's new discovery and said the updated IE patch
would be delayed indefinitely.
"Due to an issue discovered in final testing that impacts a customer's
ability to broadly deploy the update, Microsoft will not be re-releasing
MS06-042 today [Aug. 22]," a company spokesperson said in a statement
sent to eWEEK.
Microsoft also posted a security advisory that pinpointed the issue as
"long URLs to sites using HTTP 1.1 and compression."
The company also chided eEye for going public with its findings before a
comprehensive fix could be made available.
However, Maiffret noted that his company's warning never included any
details that could point to the cause of the bug.
Instead, he noted that Microsoft's advisory mentions "long URLs" as the
"We never mentioned 'long URLs' publicly anywhere because we did not
want to release any details," Maiffret said, pointing out that Microsoft
has released more information on the bug than anyone else.
Maiffret said the exploitable flaw affects Windows 2000 with IE6 SP1 and
MS06-042 hotfix installed; and Windows XP SP1 with IE6 SP1 and MS06-042
The original patches were shipped as part of the MS06-042 cumulative
security update for Internet Explorer, but immediately after the release
of the patch on Aug. 8, IE users complained that the browser was
crashing when viewing certain Web sites.
On Aug. 11, Microsoft acknowledged the browser crash issues with a
knowledge base article and said it was only happening on Web sites using
the HTTP 1.1 protocol and compression.
A hotfix was offered to businesses through Microsoft's PSS (Product
Support Services), and the company said it would re-release the full IE
update on Aug. 22.
According to eEye's Maiffret, the new exploitable issue is already known
in research circles and exploit writers.
"[It] is important that IT administrators understand the true threat of
this problem, that this is not simply a crashing bug as Microsoft has
been incorrectly misrepresenting it, but in fact that it is an
exploitable security bug," he said.
"Researchers and exploit developers know this, therefore it is extremely
important that IT administrators are told what really is going on," he
Maiffret recommends that affected IE users disable HTTP 1.1
functionality in the browser.
He also suggested that Windows users upgrade to Windows XP SP2 (Service
Pack 2) to protect against the vulnerability.
Public support for Windows XP SP1 ends in October 2006.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/