[Geeks are Sexy] technology news





Thursday, August 24, 2006

A Patch for a Patch? MS06-042 is Flawed

Microsoft shot themselves in the foot this month by releasing a security update (MS06-042) that not only caused IE6 to crash when used to visit certain websites, but could also be exploited to allow attackers to gain control of an unsuspecting user's computer.

Patched browsers would crash when using Web-based versions of several applications, including PeopleSoft, Siebel, and Sage CRM. Web sites that used HTTP 1.1 compression to speed up the downloading of images could also cause the browser to fail.

"What people didn't know about that patch is when [Microsoft] introduced that patch, they actually introduced a new exploitable vulnerability," said eEye chief hacking officer Marc Maiffret. "They basically butchered that patch."

Read more.



4 Comments:

  • It's always disconcerting to hear things like this. As a network admin, I have two choices:

    1. Wait to fully test, and then deploy a patch (and then risk getting hit with zero day exploits)

    2. Immediately apply patches (therefore protecting our clients from zero day exploits, but exposing them to possibly buggy code.

    By Anonymous David Brunelle, at 11:54 AM  

  • I'm glad I use Linux, but this probably means more family tech support calls.

    By Blogger Mackenzie, at 11:55 AM  

  • I'm so glad I got my whole family onto Firefox.

    By Anonymous Sterling Camden, at 5:38 PM  

  • Yeah, Most of the time, I use Firefox at home, but gotta use IE at work, so custom apps don't work under IE.. bleah.

    By Blogger Kiltak, at 9:26 PM  

Post a Comment

Links to this post:

Create a Link

<< Home