Know that recent Internet Explorer 6 patch that caused browsers to crash? Turns out Microsoft actually introduced a new vulnerability for IE6 browsers running Service Pack 1, according to the researchers who discovered it.
eEye Digital Security alerted Microsoft about the bug last Thursday after testing the patch. "[Microsoft] either didn't realize it was a security vulnerability or were hoping nobody would notice," says Marc Maiffret, CTO and chief hacking officer of eEye.
Microsoft had put up a Knowledge Base article on its site on August 11 -- three days after issuing MS06-042 along with the other 11 patches on its monthly Patch Tuesday -- that explained that the patch caused the browser crashes. (See Microsoft's Big Patch Day.) The crashes occur when viewing HTTP 1.0 Web pages that use compression.
Microsoft said last week in its Microsoft Security Response Center blog that it would release yet another patch today to take care of the browser crash problem. But the patch won't be coming today after all, according to a Microsoft spokesperson. "Due to an issue in final testing that impacts a customer's ability to broadly deploy the update, Microsoft will not be re-releasing MS06-042 today," the spokesperson said. It will release it once the "issue is resolved."
But the bigger problem is the new bug the patch generated. The vulnerability causes a heap-based buffer overflow, which lets an attacker on a malicious Website execute code with the browser user's privileges, says eEye's Maiffret.
eEye issued a general alert about the bug today, which didn't sit well with Microsoft. Maiffret says eEye went public because if researchers have found the bug, then the bad guys have too. "We won't release the technical details of it today, but we need to warn people about it," he says.
Interestingly, Microsoft's security advisory today updating the patch status was entitled "Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit." The "long URL" reference was a technical detail that hadn't been publicized by researchers.
Says researcher HD Moore, head of the Metasploit Project, "IE6 is just in a sad state. I still have three exploits that haven't been patched [by Microsoft], two of which were included in the MoBB [Month of Browser Bugs]."
Kelly Jackson Higgins, Senior Editor, Dark Reading