LISTSERV - VICUG-L Archives - LISTSERV.ICORS.ORG

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	VICUG-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	IE patch carries security bug
From:	Randy Hayhurst <[log in to unmask]>
Reply To:	Randy Hayhurst <[log in to unmask]>
Date:	Wed, 23 Aug 2006 09:25:51 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (123 lines)

I thought some of you may be interested in this information, especially if you 
are operating a network not using WINDOWS XP SP2:

IE patch carries security bug | Tech News on ZDNet

By

Joris Evers,

CNET News.com

Published on

ZDNet News:

August 22, 2006, 5:41 PM PT

There's more trouble with Microsoft's latest Internet Explorer patch: It 
introduces a serious new security flaw on some Windows systems.



The vulnerability could let miscreants hijack a Windows PC running IE 6 with 
Service Pack 1 and the

MS06-042 update

installed, Microsoft said in

a security advisory

published on Tuesday. The flaw lies in the way IE handles long Web addresses and 
could be exploited by luring users to specially crafted Web sites, according

to the advisory.



"An attacker who successfully exploited this vulnerability could remotely take 
complete control of an affected system," Microsoft said in its advisory.

"We are not aware of attacks that try to use the reported vulnerability."



Microsoft released the MS06-042 security update on Aug. 8 as part of its monthly 
patch cycle. The update, deemed "critical" by Microsoft, addresses eight

flaws in the ubiquitous browser. It is

one of a dozen security updates

that Microsoft released this month on Patch Tuesday.



The company planned to release a new version of the MS06-042 update on Tuesday 
to fix

a problem with browser crashes

reported by some users after installing the original fix. That crash, it turns 
out, is the result of a "buffer overrun" flaw introduced by the security

update, Microsoft said. The flaw could be exploited by cyberattackers.



Further compounding the troubles with the IE patch, Microsoft postponed the 
release of the updated fix at the eleventh hour because of an undisclosed 
problem

discovered during testing, Stephen Toulouse, a Microsoft Security Response 
program manager,

wrote on a corporate blog

Tuesday.



"Providing the update in its current state would have resulted in customers 
being unable to deploy the update," Toulouse wrote, adding that the issue was

discovered late Monday night.



As a result, users of IE 6.0 with SP1 are vulnerable to cyberattack regardless 
of their patching status. Microsoft advises users to install the patch and

to disable the use of Hypertext Transfer Protocol (HTTP) version 1.1 in the 
browser.



The security issue does not impact other versions of IE, such as the version in 
Windows XP with SP2 or on Windows Server 2003, Microsoft said.



This is not the only patch Microsoft issued this month that is causing trouble. 
On Thursday, the company

released a "hotfix" for a fault in security patch MS06-040.

The fix addresses the problem of programs failing if they request one gigabyte 
or more of information on a patched system.



An update to the MS06-042 update is still in the works, but Microsoft could not 
say when it would be ready.


    VICUG-L is the Visually Impaired Computer User Group List.
    Send comments on list operation to
    [log in to unmask]
     VICUG-L is archived on the World Wide Web at
    http://listserv.icors.org/archives/vicug-l.html
    Signoff: [log in to unmask]
    Subscribe: [log in to unmask]

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG