By Ryan Naraine
August 24, 2006
Microsoft on Aug. 24 re-released its MS06-042 bulletin to provide
patches for a code execution Internet Explorer flaw that was
introduced by the original fix.
The reissued browser patch, which is effectively an out-of-band
update, brings an end to an embarrassment episode that included a
verbal spat between Redmond, Wash., software maker and a private
security research firm.
Microsoft originally described the problem as a browser crash but was
later forced to acknowledge the critical security risk after eEye
Digital Security issued a public warning that the crash was remotely
In the updated bulletin, Microsoft removed eEye's name from the list
of companies credited with reporting the flaw.
"Unfortunately, eEye Digital Security chose to make the exploitability
of the already public crashing issue widely available despite our
concerns that this would put customers at risk," a Microsoft
"Therefore as per our acknowledgement policies, they are not credited
in the bulletin as working with Microsoft responsibly to protect our
customers," he added.
The re-release was scheduled for Aug. 22 but was delayed for a few
days because of problems with Microsoft's patch delivery technology.
A source told eWEEK said the problems centered around the way
Microsoft's proprietary SMS (Systems Management Server) handled
cabinet (.cab) files.
Mike Reavey, operations manager of the MSRC (Microsoft Security
Response Center), defended the company's decision to delay the patch,
arguing that a lot of customers affected by the bug would have had
problems downloading the fix.
"A large number of our customers running Internet Explorer 6.0 SP1 are
running it on Windows 2000, as that is the most current version of
Internet Explorer for that platform. Those customers rely heavily on
deployment tools such as the Microsoft Baseline Security Analyzer
(MBSA) and the Inventory Tool for Microsoft Updates (ITMU). The
problem we discovered late in testing was related to a background
technology used by those deployment technologies," Reavey said.
Because of the internal distribution problem, he said, a "significant
portion of customers would have been unable to deploy the update" if
it was rolled out on Aug. 22.
"This is very important. Because while some customers still using
Internet Explorer 6.0 SP1 do utilize other detection and deployment
technologies, a large portion still rely on the deployment
technologies like MBSA and the ITMU due to their support of older
products and infrastructures," Reavey said.
MBSA (Microsoft Baseline Security Analyzer) and ITMU (Inventory Tool
for Microsoft Updates) are used by IT professionals to help determine
the security state and update compliance of managed systems.
"Because this directly affects the ability of those customers most
affected by the re-release to protect themselves, we delayed the
release to successfully address this issue so that all customers could
protect themselves fully. We simply cannot leave those customers
behind on a security release. We feel it this was the right call to
make, and it was not an easy one," he added.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/