Microsoft Re-Re-Releases IE Patch

uniquebydegrees writes, "InfoWorld reports that on Tuesday Microsoft quietly released the second update for MS06-042. This is the cumulative patch for IE that actually introduced a new security hole into systems that applied the update. Microsoft re-released the patch back in August, but it now turns out that the updated patch had yet another vulnerability similar to the first, once again discovered by folks at eEye Digital Security. As with the previous hole, it concerned the handling of long URLs from web sites using HTTP 1.1 with compression."

Bugger!

[ackthpt]

I just spent 4 hours downloading and installing patches over the weekend and now I've got more...

I'm just glad I don't use IE, that's all.

i'd really like to know why it downloaded all those outlook patches, considering i don't have that installed and have never had it installed...

Re:

[Tackhead]

> i'd really like to know why it downloaded all those outlook patches, considering i don't have that installed and have never had it installed...

DIR C:\PROGRA~1\OUTLOO~1

Son of a bitch. They're back on my box too. I remember how many hoops I had to jump through to delete them when I first set up this box. Now they're back, but the old batch file that wiped the multiple copies of the .DL_ files in \I386 as well as the copies in the DLLCACHE directory no longer works. WTF?

Re:

[RobertLTux]

maybe because the files are now "protected" system files (the point is to make sure that Windows itself doesn't get borked but...) i would port the batch file to bash and then do the run from a Live CD (make sure you have ntfs write support)

Re:

[RKBA]

That's why I also install a second maintenance version of Windows 2000; ie, so that I can delete "protected" and "in use", etc, Windows system files easily. It also makes it very easy to make backup copies of the Windows registry directory.

Re:Bugger!

[this great guy]

DIR C:\PROGRA~1\OUTLOO~1

Remind me of an old joke...
Windows 95: comes with built-in support for long filena~1.

Re:

[AmberBlackCat]

I just spent 4 hours downloading and installing patches over the weekend and now I've got more...

I'm just glad I don't use IE, that's all.

I'm glad I don't use your ISP. It doesn't take me long to download the updates. No longer than it takes to download a Firefox update, which didn't get nearly as harsh a reaction even though they've also released quick fixes to regression patches. I didn't have to download any Outlook updates o

Re-Re-Releases IE Patch!

[celardore]

Th-th-th-that's all folks!

Re:Re-Re-Releases IE Patch!

[Overly Critical Guy]

It's amazing the U.S. economy has come to rely on something so unreliable. Think about it.

Re:

[xoundmind]

That might be the most astute criticism of Microsoft (and the dangers therein) I've ever seen.
Bravo.

Re:Re-Re-Releases Ch-ch-changes

[WillAffleckUW]

Ch-ch-ch-changes! Turn and face the strange changes ....

I knew Bill Gates was a David Bowie fan, but this is taking it too far!

Re:

[matrixhax0r]

Hey, you know it's true when US-CERT [us-cert.gov] says it too.

Re:Re-Re-Releases in other news...

[Deathbane27]

...Apple re-re-re-releases the P-P-P-Powerbook!

Re:

[R3d M3rcury]

Sounds like M-m-m-Max Headroom.

Actually, this reminds me of an old joke:

This opera singer was performing the famous aria 'Vesti la Giubba.' When he finished, the audience jumped to their feet and yelled "Encore! Encore!" So he sang it again. Again, the audience jumped to their feet yelling, "Encore! Encore!" So he sang it again. And again. And again. In fact, he sang it eight times. Finally, he walked out on stage and spoke to the audience.

"I'm honored," he said, "that you have asked me to sing th

Re:

[MrNougat]

I was thinking more along the lines of Sussussudio myself.

10 Patches Later...

[Foofoobar]

Te marketing blitz begins. Worlds most secure browse... WHAT?? The patched patched we patched and pacted again only to have to patch the patch we patched needs patched. Save it for Vista Serice Pack 5!!

Re:

[interval1066]

Foofoobar: > Save it for Vista Serice Pack 5!! You won't have to save long. I think Vista has got to be the first product release that will have over 6 "service packs" ready for it before the shrink wrap went on the GA.

Re:

[legoburner]

I am very glad they are cracking down on third party security software in Vista since Microsoft obviously have such a great security model we should have full confidence in. In all seriousness though, I wonder how many more people will start getting router-type devices between their computer and net connection, filtering content, connections and data, all because of this action. Looking forward to va-va-va-vista!

Re:

[Frizzle Fry]

I don't think Microsoft claims that IE 5.01 is currently the world's most secure browser. This bug that they are patching with the re-rerelease doesn't exist in IE on XP SP2, Server SP1 or in IE7 (including Vista), so the claims that things got more secure starting with XP SP2 again seem pretty reasonable.

Does it have a picture of a train on it?

[Anonymous Coward]

I choo-choo-choose to install it.

This is bad...

[__aaclcg7560]

Microsoft Re-Re-Releases IE Patch

Maybe Microsoft just need to release a new operating system to fix the IE bugs for good. I heard Apple has a good operating system.

Re:

[Jonny_eh]

It might be easier if they just integrated the gecko rendering engine from Firefox into Windows, instead of using IE.

Re:

[Short Circuit]

Bad idea. Gecko isn't perfect...Security holes are found and fixed every week.

If you replace Microsoft's HTML rendering code with Gecko, you won't have done any better than change the set of bugs. At worst, you've created a target for crackers whose codebase is shared across many operating systems, and not just those sold by Microsoft.

So junk intended for Windows will, at best, cause crashes and misbehavior in Firefox, Galeon, etc. on Linux. At the worst, it could start showing up on your filesystem anywh

Re:

[Arancaytar]

But by switchng to Gecko, Microsoft could save a bunch of money on their car insurance.

Sorry.

Since . . .

[OverlordQ]

Well, you complain about Microsoft not fixing the patch in 3 attempts when you CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY.

MS06-042 is the Security Bulletin.
KB918899 is the KB id w/ Patch.

Re:

[cp.tar]

Well, you complain about Microsoft not fixing the patch in 3 attempts when you CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY.

Neither can they, it appears. That's why they had to release it all over again.
Twice.

Re:

[Fred_A]

They remembered what their moms used to say : "Practice makes perfect".

Come on Microsoft, you're getting there, a few more and we'll be done (switching a few more people) !

Re:

[kumanopuusan]

... CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY...

It's no surprise he can't tell the difference. In this case, the patch is the vulnerability.

Besides, making a mistake while complaining about Microsoft isn't on the same scale as Microsoft releasing a series of bad patches. Did the GP's mistake result in any botnets? More importantly, the GP's mistake doesn't make Microsoft's mistake any less harmful.

Huh

[theophylline]

I downloaded the IE patch a while ago and it works great. It's called Firefox.

Re:

[Pharmboy]

But less people use Firefox, so they don't write as many exploits for it. Almost like "security through obscurity", and I hear you can get RICH doing that with operating systems and browsers.

Re:

[vertinox]

But less people use Firefox, so they don't write as many exploits for it.

But more webservers use Apache over IIS, so why are there more eploits for IIS?

Re:

[WhiteWolf666]

What, the grandparent post, or IIS?

Re:

[xtieburn]

IIS is only more vulnerable because lots of people like to mouth off about MS being vulnerable. In reality 'the platforms are almost equally vulnerable to attacks' http://searchsecurity.techtarget.com/tip/1,289483, sid14_gci1114647,00.html [techtarget.com]

If you google it youll come up with more. ISS and Apache are very much on equal footing.

re-re-re-release.

[Koragnar]

When did George Lukas join Microsoft?

My patch always works!

[WillAffleckUW]

1. Remove all shortcuts to IE
2. Install Firefox and/or Opera (I like both, Opera for email, Firefox for everything else)
3. ...
4. Profit!

Re:

[ArcticFlood]

Unfortunately, IE is still used in Outlook, Outlook Express, and Windows Help, among other places. While your fix is good enough for most cases, vulnerabilities can often be exploited in other programs that use the IE controls to render HTML.

Re:

[WillAffleckUW]

That's why I didn't remove it, just the shortcuts. Since I don't use such programs/controls/etc, such worries never occur.

Re:

[mackyrae]

I never understood using Outlook. In the first place, I can't figure out how to get my yahoo mail to go there (can't figure out how to get my school mail to go to Evolution either). In the second place, how much harder is it to log in to yahoo.com mail than to double click on Outlook? You have to connect to the internet anyway. Third, webmail is available from anywhere, even from the web browser on a cell phone--why even bother with Outlook (or Evolution--unless it's for the calendar which I love--or Th

Re:

[wordsnyc]

God knows I'd never suggest using Outlook, and Evolution really isn't ready for prime time, but I use Thunderbird (and Eudora before that) because I want my mail on my machine, not on the web. I have mailing lists dating back to 1994 I use for research, and if my net connection goes down (as it does out here in the boonies), I can still search my archives.

Re:

[matw8]

Firefox may be technically less secure, but it certainly has a far better security record than IE.

Great, but when will they stop the crashes?

[Software]

It's nice to know that they're re-fixing the security hole, but how about fixing the browser crashes? From http://support.microsoft.com/kb/923996/ [microsoft.com] :

When you visit a Web page that uses a custom pop-up object, Microsoft Internet Explorer 6 closes unexpectedly and generates an error in the Mshtml.dll file. This problem occurs after you install security update 918899 on a Windows XP Service Pack 2 (SP2)-based or a Windows Server 2003 Service Pack 1 (SP1)-based computer. A hotfix is available if you are severely affected by this problem. Otherwise, we recommend that you wait for the next cumulative security update for Internet Explorer.

Re:

[rifter]

Umm, if theres a hotfix available then they did fix that crash. Not sure what your goin for here.

1) Hotfixes are generally only available from microsoft support after you call and pay with a credit card.

2) Hotfixes are not real patches. That is, they aren't generally considered release quality code.

3) When the patch comes out, it may not mesh well with the hotfix, owing in part to #2

It sucks. Until a real patch is out, and available to everyone, Microsoft has not fixed the problem. And even then, judgin

And MS says that Vista won't need...

[Septicmadman]

Third-party security software, no one in their right (or even severly handicapped) mind would think such. Thank you for reconfirming my suspicions MS.

Code reuse?

[140Mandak262Jamuna]

Related to compressed long URLs? Wasn't there a report about some compressed folders with sizes near multiples of 4K gets last chunk padded with 0xD? or something like that? At what point code reuse becomes bug reuse?

Siebel

[Jett]

Does it still break Siebel?

Sheeh!

[Utopia]

There are people who still haven't upgraded to XP SP2 or 2003 SP1 ?

Microsoft shouldn't waste time patching/supporting these older browser versions.

Re:

[Lord Aurora]

Microsoft shouldn't waste time patching/supporting these older browser versions.

While your argument does have some merit, the whole "focus on the new stuff" idea isn't very helpful to a company's image. (Note to ACs: Perfect place to reply with "Can MS's image get any worse? LOLROFLMCBOFL!") For example, say you're playing an old-school game on the PC. Oh noes! It doesn't work. Why not? Well, the company's website says that only the FAQ pages for that game are still up, because they stopped giving specifi

Re:

[Darthmalt]

I would agree that they should support old versions but at this point is there any reason for the home user not to upgrade to SP2? With the exception of buisness apps everything should be compliant by now.

Re:

[mackyrae]

I didn't upgrade til a few months ago (didn't realise it) and when I did all of a sudden my Windows isn't genuine. I know it wasn't pirated. Windows was on there when I bought it (from a reputable dealer, not someone off the street) at Best Buy.

Re:

[/dev/trash]

I'd be askin Best Buy for a refund.

Fair enough. =D (n/t)

[Lord Aurora]

n/t

Re:

[Z34107]

While your argument does have some merit, the whole "focus on the new stuff" idea isn't very helpful to a company's image.

They can create a "new stuff" patch for the old stuff, or people could just use the patch they already have. XP SP2 is free.

Re:

[howlingmadhowie]

no, it isn't free. not if it breaks dependencies and makes important software unuseable. the user has fallen into a proprietary software trap. what happens if the manufacturer of a software you use has gone out of business and sp2 breaks the software on your computer? if the software zou use(d) also saves information in a proprietary format, sp2 is suddenly enormously expensive.

You know, we also use "re-re" as well

[SensitiveMale]

Of course, the political correctness gestapo will not allow me to explain more.

Exit Our Hero

[RatBastard]

Bugs Bunny: And so, having re-redisposed of the monster, exit our hero through the front door, stage right.

Cocky eEye e-mail

[kbinnie]

I've been on e_Eye's mailing list for awhile ever since I downloaded Retina. The message they sent regarding this patch release is as follows, "The re-release of MS06-042 comes as a result of eEye Digital Security finding yet another security vulnerability in the original MS06-042 patch. For those of you keeping score, it is now MS06-042: 0 and eEye Research: 2." Classic!

Unit testing?

[Mitch Monmouth]

With so many engineers, you'd think they'd have a few to spare whom they could assign to writing unit tests. Microsoft seems to push these releases out after an all hands call to "try it out" rather than any comprehensive testing.

Re:

[GetHimHesDifferent]

Ah, but Nunit is open source isn't it?

http://www.nunit.org/ [nunit.org]

QA

[bean123456789]

You would think by now they would have replaced the QA department or partner up with another security firm that can double check update before it goes out the door.