Acknowledging that its patching process has "not been an example of
our best work," Microsoft this week issued a second update to security
bulletin MS06-042, which was released in August. The original patch
included a security vulnerability - and it turns out the fix introduced
even more.
MS06-042, which was intended to resolve a number of security vulnerabilities in Internet Explorer, shipped with a deployment issue. The patched caused IE6 to crash when a site that uses the HTTP 1.1 protocol and compression is visited.
It was later discovered that the bug also opened the door to attackers.
The existence of a vulnerability in the patch was first announced by
eEye Digital Security, which Microsoft chided for publicly disclosing
the flaws.
An update to MS06-042
was issued on August 24, and Microsoft urged all users to upgrade.
However, that fix also apparently contained a number of other security
holes, the company has disclosed.
"A similar vulnerability was
also discovered in IE5.01 on Windows 2000, IE 6.0 SP1 (in a different
location), and the original release of Windows Server 2003 (not SP1).
This re-release fixes that vulnerability," said IE group program manger
Tony Chor.
"This release and the need for subsequent re-releases
have certainly been a learning experience for us," Chor conceded,
adding that, "we have used this experience to improve our processes and
increase transparency to ensure all of our releases are of the quality
we expect and our customers deserve."
The problems with the
Internet Explorer patch is not the first time that Microsoft has had to
deal with secondary issues caused by its fixes. In April, it had to reissue a patch because certain NVidia and Hewlett Packard printer drivers were incompatible with the update.
0 comments:
Post a Comment