Feeds

Microsoft flaw fix opens users to attack

Patching the patch

High performance access to file storage

Microsoft continued to work on Tuesday to create a fix for an exploitable flaw introduced by the company's latest security update to Internet Explorer.

The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security told SecurityFocus on Tuesday.

The update, released on 8 August, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.

By the following day, network administrators and users began complaining that the update, MS06-042, caused Internet Explorer to crash when browsing some sites. Three days later, security researchers at eEye discovered that the issue could be used to not just crash the browser, but to compromise PCs running Windows XP SP1 and Windows 2000. Other security researchers have also reported the issue to Microsoft, Maiffret said.

"This information is definitely out in the underground," Maiffret said. "Because of all the discussions on security mailing lists, they know that this is a bug. Any half-decent researcher knows that this is an exploitable bug."

The issue likely affects millions of Windows users. Data released by Microsoft in a report published in June broke down the types of operating systems used by the 270m computers scanned by the company's malicious software removal tool. While nearly two thirds of systems were running Windows XP Service Pack 2, nearly 23 per cent - or about 47m systems - ran either Windows 2000 or Windows XP SP1.

Microsoft had originally committed to supplying a new patch for the issue on Tuesday, but due to an problem discovered during the final tests of the software update, the company decided against releasing the fix. In a statement sent to SecurityFocus after the initial story was published, Microsoft confirmed the exploitability of the vulnerability and took eEye to task for publicising the ability of attackers to exploit the flaw.

"One of the researchers who originally disclosed the issue responsibly to Microsoft has now chosen to publicly disclose the exploitability of the issue before an update is broadly available for customers to deploy in order to protect themselves," the company said in the statement sent to SecurityFocus. "Microsoft continues to encourage responsible disclosure of vulnerabilities to minimise risk to computer users."

The security slip-up casts a shadow on Microsoft's fight to convince users and network administrators to immediately apply security patches issued by the software giant. The latest monthly patches, released on 8 August, fixed 23 flaws in common components of the Windows operating system. The flaws included 10 vulnerabilities that Microsoft deemed a critical concern. The US Department of Homeland Security even added its collective voice to those urging users to fix their systems.

Microsoft planned to fix the problem introduced by the cumulative update on Tuesday, but has delayed the release of its patch to the patch because it did not pass final muster. eEye released its own advisory on Tuesday, withholding specific details. That's more than Microsoft did, eEye's Maiffret said.

"It is reminiscent of early Microsoft security days that they would play the PR blame game as a way to somehow shift attention from all of the mistakes they have made surrounding the handling of this vulnerability," Maiffret said.

"The reality is that we released zero technical details to the public. The only place where you can know exactly what the flaw location is, is from the Microsoft advisory itself - another mistake to add to their list."

When and how much to disclosure about software vulnerabilities is a contentious issue within the security community. Most recently, one researcher drew both praise and criticism for releasing a browser bug every day for the month of July.

Other industries, such as those that build the systems used to monitor and control manufacturing and power networks, are also starting to have a similar debate.

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.