IE Patch Created New Vulnerability

Patch issued earlier this month for Internet Explorer inadvertently introduced new hole

Know that recent Internet Explorer 6 patch that caused browsers to crash? Turns out Microsoft actually introduced a new vulnerability for IE6 browsers running Service Pack 1, according to the researchers who discovered it.

eEye Digital Security alerted Microsoft about the bug last Thursday after testing the patch. "[Microsoft] either didn't realize it was a security vulnerability or were hoping nobody would notice," says Marc Maiffret, CTO and chief hacking officer of eEye.

Microsoft had put up a Knowledge Base article on its site on August 11 -- three days after issuing MS06-042 along with the other 11 patches on its monthly Patch Tuesday -- that explained that the patch caused the browser crashes. (See Microsoft's Big Patch Day.) The crashes occur when viewing HTTP 1.0 Web pages that use compression.

Microsoft said last week in its Microsoft Security Response Center blog that it would release yet another patch today to take care of the browser crash problem. But the patch won't be coming today after all, according to a Microsoft spokesperson. "Due to an issue in final testing that impacts a customer's ability to broadly deploy the update, Microsoft will not be re-releasing MS06-042 today," the spokesperson said. It will release it once the "issue is resolved."

But the bigger problem is the new bug the patch generated. The vulnerability causes a heap-based buffer overflow, which lets an attacker on a malicious Website execute code with the browser user's privileges, says eEye's Maiffret.

eEye issued a general alert about the bug today, which didn't sit well with Microsoft. Maiffret says eEye went public because if researchers have found the bug, then the bad guys have too. "We won't release the technical details of it today, but we need to warn people about it," he says.

Interestingly, Microsoft's security advisory today updating the patch status was entitled "Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit." The "long URL" reference was a technical detail that hadn't been publicized by researchers.

Says researcher HD Moore, head of the Metasploit Project, "IE6 is just in a sad state. I still have three exploits that haven't been patched [by Microsoft], two of which were included in the MoBB [Month of Browser Bugs]."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights