Feeds

Microsoft flaw fix opens users to attack

Patching the patch

Protecting users from Firesheep and other Sidejacking attacks with SSL

Microsoft continued to work on Tuesday to create a fix for an exploitable flaw introduced by the company's latest security update to Internet Explorer.

The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security told SecurityFocus on Tuesday.

The update, released on 8 August, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.

By the following day, network administrators and users began complaining that the update, MS06-042, caused Internet Explorer to crash when browsing some sites. Three days later, security researchers at eEye discovered that the issue could be used to not just crash the browser, but to compromise PCs running Windows XP SP1 and Windows 2000. Other security researchers have also reported the issue to Microsoft, Maiffret said.

"This information is definitely out in the underground," Maiffret said. "Because of all the discussions on security mailing lists, they know that this is a bug. Any half-decent researcher knows that this is an exploitable bug."

The issue likely affects millions of Windows users. Data released by Microsoft in a report published in June broke down the types of operating systems used by the 270m computers scanned by the company's malicious software removal tool. While nearly two thirds of systems were running Windows XP Service Pack 2, nearly 23 per cent - or about 47m systems - ran either Windows 2000 or Windows XP SP1.

Microsoft had originally committed to supplying a new patch for the issue on Tuesday, but due to an problem discovered during the final tests of the software update, the company decided against releasing the fix. In a statement sent to SecurityFocus after the initial story was published, Microsoft confirmed the exploitability of the vulnerability and took eEye to task for publicising the ability of attackers to exploit the flaw.

"One of the researchers who originally disclosed the issue responsibly to Microsoft has now chosen to publicly disclose the exploitability of the issue before an update is broadly available for customers to deploy in order to protect themselves," the company said in the statement sent to SecurityFocus. "Microsoft continues to encourage responsible disclosure of vulnerabilities to minimise risk to computer users."

The security slip-up casts a shadow on Microsoft's fight to convince users and network administrators to immediately apply security patches issued by the software giant. The latest monthly patches, released on 8 August, fixed 23 flaws in common components of the Windows operating system. The flaws included 10 vulnerabilities that Microsoft deemed a critical concern. The US Department of Homeland Security even added its collective voice to those urging users to fix their systems.

Microsoft planned to fix the problem introduced by the cumulative update on Tuesday, but has delayed the release of its patch to the patch because it did not pass final muster. eEye released its own advisory on Tuesday, withholding specific details. That's more than Microsoft did, eEye's Maiffret said.

"It is reminiscent of early Microsoft security days that they would play the PR blame game as a way to somehow shift attention from all of the mistakes they have made surrounding the handling of this vulnerability," Maiffret said.

"The reality is that we released zero technical details to the public. The only place where you can know exactly what the flaw location is, is from the Microsoft advisory itself - another mistake to add to their list."

When and how much to disclosure about software vulnerabilities is a contentious issue within the security community. Most recently, one researcher drew both praise and criticism for releasing a browser bug every day for the month of July.

Other industries, such as those that build the systems used to monitor and control manufacturing and power networks, are also starting to have a similar debate.

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.