I thought some of you may be interested in this information, especially if you
are operating a network not using WINDOWS XP SP2:
IE patch carries security bug | Tech News on ZDNet
By
Joris Evers,
CNET News.com
Published on
ZDNet News:
August 22, 2006, 5:41 PM PT
There's more trouble with Microsoft's latest Internet Explorer patch: It
introduces a serious new security flaw on some Windows systems.
The vulnerability could let miscreants hijack a Windows PC running IE 6 with
Service Pack 1 and the
MS06-042 update
installed, Microsoft said in
a security advisory
published on Tuesday. The flaw lies in the way IE handles long Web addresses and
could be exploited by luring users to specially crafted Web sites, according
to the advisory.
"An attacker who successfully exploited this vulnerability could remotely take
complete control of an affected system," Microsoft said in its advisory.
"We are not aware of attacks that try to use the reported vulnerability."
Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly
patch cycle. The update, deemed "critical" by Microsoft, addresses eight
flaws in the ubiquitous browser. It is
one of a dozen security updates
that Microsoft released this month on Patch Tuesday.
The company planned to release a new version of the MS06-042 update on Tuesday
to fix
a problem with browser crashes
reported by some users after installing the original fix. That crash, it turns
out, is the result of a "buffer overrun" flaw introduced by the security
update, Microsoft said. The flaw could be exploited by cyberattackers.
Further compounding the troubles with the IE patch, Microsoft postponed the
release of the updated fix at the eleventh hour because of an undisclosed
problem
discovered during testing, Stephen Toulouse, a Microsoft Security Response
program manager,
wrote on a corporate blog
Tuesday.
"Providing the update in its current state would have resulted in customers
being unable to deploy the update," Toulouse wrote, adding that the issue was
discovered late Monday night.
As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless
of their patching status. Microsoft advises users to install the patch and
to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the
browser.
The security issue does not impact other versions of IE, such as the version in
Windows XP with SP2 or on Windows Server 2003, Microsoft said.
This is not the only patch Microsoft issued this month that is causing trouble.
On Thursday, the company
released a "hotfix" for a fault in security patch MS06-040.
The fix addresses the problem of programs failing if they request one gigabyte
or more of information on a patched system.
An update to the MS06-042 update is still in the works, but Microsoft could not
say when it would be ready.
VICUG-L is the Visually Impaired Computer User Group List.
Send comments on list operation to
[log in to unmask]
VICUG-L is archived on the World Wide Web at
http://listserv.icors.org/archives/vicug-l.html
Signoff: [log in to unmask]
Subscribe: [log in to unmask]
|