Feeds

Microsoft flaw fix opens users to attack

Patching the patch

5 things you didn’t know about cloud backup

Microsoft continued to work on Tuesday to create a fix for an exploitable flaw introduced by the company's latest security update to Internet Explorer.

The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security told SecurityFocus on Tuesday.

The update, released on 8 August, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.

By the following day, network administrators and users began complaining that the update, MS06-042, caused Internet Explorer to crash when browsing some sites. Three days later, security researchers at eEye discovered that the issue could be used to not just crash the browser, but to compromise PCs running Windows XP SP1 and Windows 2000. Other security researchers have also reported the issue to Microsoft, Maiffret said.

"This information is definitely out in the underground," Maiffret said. "Because of all the discussions on security mailing lists, they know that this is a bug. Any half-decent researcher knows that this is an exploitable bug."

The issue likely affects millions of Windows users. Data released by Microsoft in a report published in June broke down the types of operating systems used by the 270m computers scanned by the company's malicious software removal tool. While nearly two thirds of systems were running Windows XP Service Pack 2, nearly 23 per cent - or about 47m systems - ran either Windows 2000 or Windows XP SP1.

Microsoft had originally committed to supplying a new patch for the issue on Tuesday, but due to an problem discovered during the final tests of the software update, the company decided against releasing the fix. In a statement sent to SecurityFocus after the initial story was published, Microsoft confirmed the exploitability of the vulnerability and took eEye to task for publicising the ability of attackers to exploit the flaw.

"One of the researchers who originally disclosed the issue responsibly to Microsoft has now chosen to publicly disclose the exploitability of the issue before an update is broadly available for customers to deploy in order to protect themselves," the company said in the statement sent to SecurityFocus. "Microsoft continues to encourage responsible disclosure of vulnerabilities to minimise risk to computer users."

The security slip-up casts a shadow on Microsoft's fight to convince users and network administrators to immediately apply security patches issued by the software giant. The latest monthly patches, released on 8 August, fixed 23 flaws in common components of the Windows operating system. The flaws included 10 vulnerabilities that Microsoft deemed a critical concern. The US Department of Homeland Security even added its collective voice to those urging users to fix their systems.

Microsoft planned to fix the problem introduced by the cumulative update on Tuesday, but has delayed the release of its patch to the patch because it did not pass final muster. eEye released its own advisory on Tuesday, withholding specific details. That's more than Microsoft did, eEye's Maiffret said.

"It is reminiscent of early Microsoft security days that they would play the PR blame game as a way to somehow shift attention from all of the mistakes they have made surrounding the handling of this vulnerability," Maiffret said.

"The reality is that we released zero technical details to the public. The only place where you can know exactly what the flaw location is, is from the Microsoft advisory itself - another mistake to add to their list."

When and how much to disclosure about software vulnerabilities is a contentious issue within the security community. Most recently, one researcher drew both praise and criticism for releasing a browser bug every day for the month of July.

Other industries, such as those that build the systems used to monitor and control manufacturing and power networks, are also starting to have a similar debate.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.