Microsoft flaw fix opens users to attack

Microsoft continued to work on Tuesday to create a fix for an exploitable flaw introduced by the company's latest security update to Internet Explorer.

The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security told SecurityFocus on Tuesday.

The update, released on 8 August, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.

By the following day, network administrators and users began complaining that the update, MS06-042, caused Internet Explorer to crash when browsing some sites. Three days later, security researchers at eEye discovered that the issue could be used to not just crash the browser, but to compromise PCs running Windows XP SP1 and Windows 2000. Other security researchers have also reported the issue to Microsoft, Maiffret said.

"This information is definitely out in the underground," Maiffret said. "Because of all the discussions on security mailing lists, they know that this is a bug. Any half-decent researcher knows that this is an exploitable bug."

The issue likely affects millions of Windows users. Data released by Microsoft in a report published in June broke down the types of operating systems used by the 270m computers scanned by the company's malicious software removal tool. While nearly two thirds of systems were running Windows XP Service Pack 2, nearly 23 per cent - or about 47m systems - ran either Windows 2000 or Windows XP SP1.

Microsoft had originally committed to supplying a new patch for the issue on Tuesday, but due to an problem discovered during the final tests of the software update, the company decided against releasing the fix. In a statement sent to SecurityFocus after the initial story was published, Microsoft confirmed the exploitability of the vulnerability and took eEye to task for publicising the ability of attackers to exploit the flaw.

"One of the researchers who originally disclosed the issue responsibly to Microsoft has now chosen to publicly disclose the exploitability of the issue before an update is broadly available for customers to deploy in order to protect themselves," the company said in the statement sent to SecurityFocus. "Microsoft continues to encourage responsible disclosure of vulnerabilities to minimise risk to computer users."

The security slip-up casts a shadow on Microsoft's fight to convince users and network administrators to immediately apply security patches issued by the software giant. The latest monthly patches, released on 8 August, fixed 23 flaws in common components of the Windows operating system. The flaws included 10 vulnerabilities that Microsoft deemed a critical concern. The US Department of Homeland Security even added its collective voice to those urging users to fix their systems.

Microsoft planned to fix the problem introduced by the cumulative update on Tuesday, but has delayed the release of its patch to the patch because it did not pass final muster. eEye released its own advisory on Tuesday, withholding specific details. That's more than Microsoft did, eEye's Maiffret said.

"It is reminiscent of early Microsoft security days that they would play the PR blame game as a way to somehow shift attention from all of the mistakes they have made surrounding the handling of this vulnerability," Maiffret said.

"The reality is that we released zero technical details to the public. The only place where you can know exactly what the flaw location is, is from the Microsoft advisory itself - another mistake to add to their list."

When and how much to disclosure about software vulnerabilities is a contentious issue within the security community. Most recently, one researcher drew both praise and criticism for releasing a browser bug every day for the month of July.

Other industries, such as those that build the systems used to monitor and control manufacturing and power networks, are also starting to have a similar debate.