Feeds

Microsoft flaw fix opens users to attack

Patching the patch

Intelligent flash storage arrays

Microsoft continued to work on Tuesday to create a fix for an exploitable flaw introduced by the company's latest security update to Internet Explorer.

The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security told SecurityFocus on Tuesday.

The update, released on 8 August, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.

By the following day, network administrators and users began complaining that the update, MS06-042, caused Internet Explorer to crash when browsing some sites. Three days later, security researchers at eEye discovered that the issue could be used to not just crash the browser, but to compromise PCs running Windows XP SP1 and Windows 2000. Other security researchers have also reported the issue to Microsoft, Maiffret said.

"This information is definitely out in the underground," Maiffret said. "Because of all the discussions on security mailing lists, they know that this is a bug. Any half-decent researcher knows that this is an exploitable bug."

The issue likely affects millions of Windows users. Data released by Microsoft in a report published in June broke down the types of operating systems used by the 270m computers scanned by the company's malicious software removal tool. While nearly two thirds of systems were running Windows XP Service Pack 2, nearly 23 per cent - or about 47m systems - ran either Windows 2000 or Windows XP SP1.

Microsoft had originally committed to supplying a new patch for the issue on Tuesday, but due to an problem discovered during the final tests of the software update, the company decided against releasing the fix. In a statement sent to SecurityFocus after the initial story was published, Microsoft confirmed the exploitability of the vulnerability and took eEye to task for publicising the ability of attackers to exploit the flaw.

"One of the researchers who originally disclosed the issue responsibly to Microsoft has now chosen to publicly disclose the exploitability of the issue before an update is broadly available for customers to deploy in order to protect themselves," the company said in the statement sent to SecurityFocus. "Microsoft continues to encourage responsible disclosure of vulnerabilities to minimise risk to computer users."

The security slip-up casts a shadow on Microsoft's fight to convince users and network administrators to immediately apply security patches issued by the software giant. The latest monthly patches, released on 8 August, fixed 23 flaws in common components of the Windows operating system. The flaws included 10 vulnerabilities that Microsoft deemed a critical concern. The US Department of Homeland Security even added its collective voice to those urging users to fix their systems.

Microsoft planned to fix the problem introduced by the cumulative update on Tuesday, but has delayed the release of its patch to the patch because it did not pass final muster. eEye released its own advisory on Tuesday, withholding specific details. That's more than Microsoft did, eEye's Maiffret said.

"It is reminiscent of early Microsoft security days that they would play the PR blame game as a way to somehow shift attention from all of the mistakes they have made surrounding the handling of this vulnerability," Maiffret said.

"The reality is that we released zero technical details to the public. The only place where you can know exactly what the flaw location is, is from the Microsoft advisory itself - another mistake to add to their list."

When and how much to disclosure about software vulnerabilities is a contentious issue within the security community. Most recently, one researcher drew both praise and criticism for releasing a browser bug every day for the month of July.

Other industries, such as those that build the systems used to monitor and control manufacturing and power networks, are also starting to have a similar debate.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.