A Patch for a Patch? MS06-042 is Flawed
Microsoft shot themselves in the foot this month by releasing a security update (MS06-042) that not only caused IE6 to crash when used to visit certain websites, but could also be exploited to allow attackers to gain control of an unsuspecting user's computer.
Patched browsers would crash when using Web-based versions of several applications, including PeopleSoft, Siebel, and Sage CRM. Web sites that used HTTP 1.1 compression to speed up the downloading of images could also cause the browser to fail.
"What people didn't know about that patch is when [Microsoft] introduced that patch, they actually introduced a new exploitable vulnerability," said eEye chief hacking officer Marc Maiffret. "They basically butchered that patch."