Welcome | Log In
Security

Microsoft to Repair Flawed IE Patch

Print Version
E-Mail Article
Reprints

By Jennifer LeClaire
TechNewsWorld
Part of the ECT News Network
08/23/06 12:07 PM PT

Microsoft said it will issue a fix for a patch the firm released last week that was meant to repair a vulnerability in Internet Explorer. The patch was found to have a security bug of its own, which could allow attackers to take over a Windows PC, even with the original IE update installed.


The Year in Mac Security 2008
2008 was a busy year for Mac security and malware, with a number of new threats targeting Macs, from Trojan horses to scareware, from browser flaws to Mac OS X vulnerabilities. This document is a summary of the year's security issues that affected Macs. [Download PDF: 3 pgs | 249k]

Microsoft's (Nasdaq: MSFT) More about Microsoft Patch Tuesday activity carried over from last week into this one as the software giant promised to issue a fix for its latest Internet Explorer security patch, which apparently carries a security bug of its own.

The vulnerability could allow attackers to take complete control over a Windows Consolidate Mac Servers. Run Windows Server on your Mac. Watch a Demo or Download a Trial. PC running IE 6 with Service Pack 1 and the MS06-042 update installed, according to a Microsoft security advisory published this week. The flaw lies in the way IE handles long Web addresses. The firm has not yet said when the new patch will be ready.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the local user," Microsoft reported in its security advisory. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Microsoft's Explanation

In one attack scenario, an attacker could host a Web site containing a page that would exploit this vulnerability.

Microsoft explained that compromised Web sites and those that accept or host user-provided content or advertisements may contain specially crafted content that could exploit this flaw.

In all cases, however, an attacker would have no way of forcing users to visit these Web sites. Instead, an attacker would have to persuade users to visit the sites, typically by getting them to click on a link in an e-mail or instant messenger message.

The IE browser's restricted sites zone helps reduce attacks that are meant to exploit this vulnerability by preventing active scripting from being used when a user is reading HTML e-mail messages. However, Microsoft said if a user clicks a link in an e-mail message, he/she could still be vulnerable to this vulnerability through the Web-based attack scenario. By default, several versions of the Outlook e-mail client open messages in the restricted sites zone.

It's not uncommon for incompatibilities and vulnerabilities to arise when you introduce new code, according to Ken Dunham, senior engineer at threat intelligence firm iDefense More about iDefense. In fact, that's one major point in the debate over whether companies should issue third-party patches.

"You can imagine trying to manage a project with millions of lines of code and all sorts of interoperability issues that might emerge, with the need for secure computing on top it. It's a hefty challenge. It's not easy for anyone," Dunham told TechNewsWorld.

The Cat and Mouse Game

To Microsoft's credit, the company does have the ability to automatically check its code for buffer overflows, one of the most widely exploited browser flaws in the past few years. Analysts said with increasingly sophisticated code, it's simply becoming more difficult to secure applications.

"Some people may feel that it's two steps forward and one step back, but the reality is, we do live in a cat and mouse game world with the hackers, and that will never go away," Dunham noted. "There is a responsibility to securely code applications, and there is the reality that with millions of lines of code, you are going to have some issues crop up."

Social Networking Toolbox:
Talkback: Be the first to comment on this story.

Print Version E-Mail Article Reprints More by Jennifer LeClaire   RSS

Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> Online Retail Transaction Performance Indices
Most E-Mailed Articles
  1. How to Build a Small-Business Web Site, Part 1: Nuts and Bolts
  2. Keep in Touch With Customers - but Not Too Much
  3. How to Build a Mac Home Network
  4. US Tech Firms Team to Juice Up Electric Car Batteries
  5. Facebook Faces Nature's Wrath in Breastfeeding Photo Flap
E-Commerce Times
TechNewsWorld
CRM Buyer
LinuxInsider
MacNewsWorld
Sponsored Links
Think your data is safe?
Think again. It's time to Outthink the Threat. Get eBook now.
Akamai Web 2.0 White Paper
Web 2.0 is Here – Is Your Infrastructure Ready? Maximize the value of your interactive site.
Max your Mac...Parallels Server for Mac
Consolidate Mac Servers. Run Windows Server on your Mac. Watch a Demo or Download a Trial.
ECT News Network Information
Locate Products and Services
Corporate
Reader Services
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2009 ECT News Network, Inc. All Rights Reserved.