Microsoft Re-Re-Releases IE Patch

← Back to Stories (view on slashdot.org)

Microsoft Re-Re-Releases IE Patch

Posted by ryuzaki0 on Tuesday September 12, 2006 @09:55AM from the this-time-for-sure dept.

uniquebydegrees writes, "InfoWorld reports that on Tuesday Microsoft quietly released the second update for MS06-042. This is the cumulative patch for IE that actually introduced a new security hole into systems that applied the update. Microsoft re-released the patch back in August, but it now turns out that the updated patch had yet another vulnerability similar to the first, once again discovered by folks at eEye Digital Security. As with the previous hole, it concerned the handling of long URLs from web sites using HTTP 1.1 with compression."

77 comments

Bugger! by ackthpt · 2006-09-12 09:57 · Score: 3, Interesting

I just spent 4 hours downloading and installing patches over the weekend and now I've got more...

I'm just glad I don't use IE, that's all.

i'd really like to know why it downloaded all those outlook patches, considering i don't have that installed and have never had it installed...

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:Bugger! by Tackhead · 2006-09-12 10:13 · Score: 1
  
  > i'd really like to know why it downloaded all those outlook patches, considering i don't have that installed and have never had it installed...
  DIR C:\PROGRA~1\OUTLOO~1
  Son of a bitch. They're back on my box too. I remember how many hoops I had to jump through to delete them when I first set up this box. Now they're back, but the old batch file that wiped the multiple copies of the .DL_ files in \I386 as well as the copies in the DLLCACHE directory no longer works. WTF?
2. Re:Bugger! by RobertLTux · 2006-09-12 10:33 · Score: 1
  
  maybe because the files are now "protected" system files (the point is to make sure that Windows itself doesn't get borked but...) i would port the batch file to bash and then do the run from a Live CD (make sure you have ntfs write support)
  
  --
  Any person using FTFY or editing my postings agrees to a US$50.00 charge
3. Re:Bugger! by RKBA · 2006-09-12 11:47 · Score: 1
  
  That's why I also install a second maintenance version of Windows 2000; ie, so that I can delete "protected" and "in use", etc, Windows system files easily. It also makes it very easy to make backup copies of the Windows registry directory.
  
  --
  9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
4. Re:Bugger! by this+great+guy · 2006-09-12 13:16 · Score: 3, Funny
  
  DIR C:\PROGRA~1\OUTLOO~1
  
  Remind me of an old joke...
  Windows 95: comes with built-in support for long filena~1.
5. Re:Bugger! by AmberBlackCat · 2006-09-13 02:33 · Score: 1
  
  I just spent 4 hours downloading and installing patches over the weekend and now I've got more...
  
  I'm just glad I don't use IE, that's all.
  
  I'm glad I don't use your ISP. It doesn't take me long to download the updates. No longer than it takes to download a Firefox update, which didn't get nearly as harsh a reaction even though they've also released quick fixes to regression patches. I didn't have to download any Outlook updates over the weekend and neither did my friend who has Windows on her laptop, and we both use Outlook. So I would wonder if that's really a Windows problem or something specific to your computer.
Re-Re-Releases IE Patch! by celardore · 2006-09-12 09:59 · Score: 4, Funny

Th-th-th-that's all folks!
1. Re:Re-Re-Releases IE Patch! by Overly+Critical+Guy · 2006-09-12 10:28 · Score: 3, Interesting
  
  It's amazing the U.S. economy has come to rely on something so unreliable. Think about it.
  
  --
  "Sufferin' succotash."
2. Re:Re-Re-Releases IE Patch! by matrixhax0r · 2006-09-12 10:35 · Score: 1
  
  Hey, you know it's true when US-CERT says it too.
  
  --
  If it's no on fire, it's a hardware problem.
3. Re:Re-Re-Releases IE Patch! by MrNougat · 2006-09-12 11:43 · Score: 1
  
  I was thinking more along the lines of Sussussudio myself.
  
  --
  Web 2.0 == Giant Blogspam Circle Jerk
4. Re:Re-Re-Releases IE Patch! by xoundmind · 2006-09-12 13:20 · Score: 1
  
  That might be the most astute criticism of Microsoft (and the dangers therein) I've ever seen.
  Bravo.
10 Patches Later... by Foofoobar · 2006-09-12 10:01 · Score: 0

Te marketing blitz begins. Worlds most secure browse... WHAT?? The patched patched we patched and pacted again only to have to patch the patch we patched needs patched. Save it for Vista Serice Pack 5!!

--
This is my sig. There are many like it but this one is mine.
1. Re:10 Patches Later... by interval1066 · 2006-09-12 10:59 · Score: 1
  
  Foofoobar: > Save it for Vista Serice Pack 5!! You won't have to save long. I think Vista has got to be the first product release that will have over 6 "service packs" ready for it before the shrink wrap went on the GA.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
2. Re:10 Patches Later... by legoburner · 2006-09-12 11:28 · Score: 1
  
  I am very glad they are cracking down on third party security software in Vista since Microsoft obviously have such a great security model we should have full confidence in. In all seriousness though, I wonder how many more people will start getting router-type devices between their computer and net connection, filtering content, connections and data, all because of this action. Looking forward to va-va-va-vista!
  
  --
  Warhammer forums
3. Re:10 Patches Later... by Frizzle+Fry · 2006-09-12 14:11 · Score: 1
  
  I don't think Microsoft claims that IE 5.01 is currently the world's most secure browser. This bug that they are patching with the re-rerelease doesn't exist in IE on XP SP2, Server SP1 or in IE7 (including Vista), so the claims that things got more secure starting with XP SP2 again seem pretty reasonable.
  
  --
  I'd rather be lucky than good.
QA by McGiraf · 2006-09-12 10:02 · Score: 0, Redundant

Is there a QA department at microsoft? This is getting ridiculous.
Does it have a picture of a train on it? by Anonymous Coward · 2006-09-12 10:03 · Score: 1, Funny

I choo-choo-choose to install it.
This is bad... by __aaclcg7560 · 2006-09-12 10:10 · Score: 1

Microsoft Re-Re-Releases IE Patch

Maybe Microsoft just need to release a new operating system to fix the IE bugs for good. I heard Apple has a good operating system.
1. Re:This is bad... by Jonny_eh · 2006-09-12 10:45 · Score: 1
  
  It might be easier if they just integrated the gecko rendering engine from Firefox into Windows, instead of using IE.
2. Re:This is bad... by Short+Circuit · 2006-09-12 11:33 · Score: 1
  
  Bad idea. Gecko isn't perfect...Security holes are found and fixed every week.
  
  If you replace Microsoft's HTML rendering code with Gecko, you won't have done any better than change the set of bugs. At worst, you've created a target for crackers whose codebase is shared across many operating systems, and not just those sold by Microsoft.
  
  So junk intended for Windows will, at best, cause crashes and misbehavior in Firefox, Galeon, etc. on Linux. At the worst, it could start showing up on your filesystem anywhere your users have write access.
  
  Imagine malware that creates ~/.bin/sudo and adds the folder to your ~/.bashrc and ~/.xsession ... Next thing you know, that corporate web server you maintain is hosting a phishing site.
  
  Crackers don't do this (much) now, because Gecko doesn't have a very large audience...Poorly administered Windows computers with peoples' financial information stored in "c:\Windows\Temporary Internet Files" make for big, fat targets. But phishing tempts those who can figure it out.
  
  --
  tasks(723) drafts(105) languages(484) examples(29106)
3. Re:This is bad... by Arancaytar · 2006-09-12 19:30 · Score: 1
  
  But by switchng to Gecko, Microsoft could save a bunch of money on their car insurance.
  
  Sorry.
Since . . . by OverlordQ · 2006-09-12 10:10 · Score: 4, Informative

Well, you complain about Microsoft not fixing the patch in 3 attempts when you CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY.

MS06-042 is the Security Bulletin.
KB918899 is the KB id w/ Patch.

--
Your hair look like poop, Bob! - Wanker.
1. Re:Since . . . by cp.tar · 2006-09-12 11:07 · Score: 1
  
  Well, you complain about Microsoft not fixing the patch in 3 attempts when you CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY.
  
  Neither can they, it appears. That's why they had to release it all over again.
  Twice.
  
  --
  Ignore this signature. By order.
2. Re:Since . . . by kumanopuusan · 2006-09-12 11:28 · Score: 1
  
  ... CANT EVEN TELL THE DIFFERENCE BETWEEN A PATCH AND A VULNERABILITY...
  
  It's no surprise he can't tell the difference. In this case, the patch is the vulnerability.
  
  Besides, making a mistake while complaining about Microsoft isn't on the same scale as Microsoft releasing a series of bad patches. Did the GP's mistake result in any botnets? More importantly, the GP's mistake doesn't make Microsoft's mistake any less harmful.
  
  --
  Use of the words "good", "bad" or "evil" is almost invariably the result of oversimplification.
3. Re:Since . . . by Fred_A · 2006-09-12 19:45 · Score: 1
  
  They remembered what their moms used to say : "Practice makes perfect".
  
  Come on Microsoft, you're getting there, a few more and we'll be done (switching a few more people) !
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
Huh by theophylline · 2006-09-12 10:13 · Score: 3, Funny

I downloaded the IE patch a while ago and it works great. It's called Firefox.
1. Re:Huh by Pharmboy · 2006-09-12 10:38 · Score: 1
  
  But less people use Firefox, so they don't write as many exploits for it. Almost like "security through obscurity", and I hear you can get RICH doing that with operating systems and browsers.
  
  --
  Tequila: It's not just for breakfast anymore!
2. Re:Huh by vertinox · 2006-09-12 11:13 · Score: 2, Insightful
  
  But less people use Firefox, so they don't write as many exploits for it.
  
  But more webservers use Apache over IIS, so why are there more eploits for IIS?
  
  --
  "I am the king of the Romans, and am superior to rules of grammar!"
  -Sigismund, Holy Roman Emperor (1368-1437)
3. Re:Huh by Anonymous Coward · 2006-09-12 11:38 · Score: 0
  
  Why can't I find details about this patch in the MSKB?
4. Re:Huh by Anonymous Coward · 2006-09-12 13:13 · Score: 0
  
  it was a joke.
5. Re:Huh by WhiteWolf666 · 2006-09-12 17:10 · Score: 2, Funny
  
  What, the grandparent post, or IIS?
  
  --
  WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
6. Re:Huh by Anonymous Coward · 2006-09-12 22:26 · Score: 0
  
  Who modded this as 'Funny'? It's such a boring joke I find it hard to believe that anyone would actually laugh at it.
  
  I don't understand why people even post it.
7. Re:Huh by xtieburn · 2006-09-12 22:36 · Score: 1
  
  IIS is only more vulnerable because lots of people like to mouth off about MS being vulnerable. In reality 'the platforms are almost equally vulnerable to attacks' http://searchsecurity.techtarget.com/tip/1,289483, sid14_gci1114647,00.html
  
  If you google it youll come up with more. ISS and Apache are very much on equal footing.
re-re-re-release. by Koragnar · 2006-09-12 10:15 · Score: 5, Funny

When did George Lukas join Microsoft?
1. Re:re-re-re-release. by Anonymous Coward · 2006-09-13 23:31 · Score: 0
  
  When Microsoft realised Bill did not shoot first.
My patch always works! by WillAffleckUW · 2006-09-12 10:28 · Score: 2, Interesting

1. Remove all shortcuts to IE
2. Install Firefox and/or Opera (I like both, Opera for email, Firefox for everything else)
3. ...
4. Profit!

--
-- Tigger warning: This post may contain tiggers! --
1. Re:My patch always works! by ArcticFlood · 2006-09-12 10:44 · Score: 1
  
  Unfortunately, IE is still used in Outlook, Outlook Express, and Windows Help, among other places. While your fix is good enough for most cases, vulnerabilities can often be exploited in other programs that use the IE controls to render HTML.
  
  --
  This is here so you don't ignore the last two lines of my posts.
2. Re:My patch always works! by Anonymous Coward · 2006-09-12 10:44 · Score: 0
  
  Except that Firefox has a worse security record than IE, and isn't any cheaper. Nice try, though.
3. Re:My patch always works! by matw8 · 2006-09-12 10:58 · Score: 1
  
  Firefox may be technically less secure, but it certainly has a far better security record than IE.
4. Re:My patch always works! by WillAffleckUW · 2006-09-12 11:01 · Score: 1
  
  That's why I didn't remove it, just the shortcuts. Since I don't use such programs/controls/etc, such worries never occur.
  
  --
  -- Tigger warning: This post may contain tiggers! --
5. Re:My patch always works! by Anonymous Coward · 2006-09-12 11:06 · Score: 0
  
  This doesn't work for Windows Update or Microsoft Update; they'll still use IE. :-P
6. Re:My patch always works! by mackyrae · 2006-09-12 11:57 · Score: 1
  
  I never understood using Outlook. In the first place, I can't figure out how to get my yahoo mail to go there (can't figure out how to get my school mail to go to Evolution either). In the second place, how much harder is it to log in to yahoo.com mail than to double click on Outlook? You have to connect to the internet anyway. Third, webmail is available from anywhere, even from the web browser on a cell phone--why even bother with Outlook (or Evolution--unless it's for the calendar which I love--or Thunderbird)?
  
  --
  look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
7. Re:My patch always works! by TheVelvetFlamebait · 2006-09-12 12:44 · Score: 0
  
  Shit. I tried 1), but I couldn't find IE to download Firefox or Opera.
  
  --
  You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
8. Re:My patch always works! by wordsnyc · 2006-09-12 17:52 · Score: 1
  
  God knows I'd never suggest using Outlook, and Evolution really isn't ready for prime time, but I use Thunderbird (and Eudora before that) because I want my mail on my machine, not on the web. I have mailing lists dating back to 1994 I use for research, and if my net connection goes down (as it does out here in the boonies), I can still search my archives.
  
  --
  Sent from the iPad I found in your car.
Great, but when will they stop the crashes? by Software · 2006-09-12 10:30 · Score: 2, Informative

It's nice to know that they're re-fixing the security hole, but how about fixing the browser crashes? From http://support.microsoft.com/kb/923996/ :
When you visit a Web page that uses a custom pop-up object, Microsoft Internet Explorer 6 closes unexpectedly and generates an error in the Mshtml.dll file. This problem occurs after you install security update 918899 on a Windows XP Service Pack 2 (SP2)-based or a Windows Server 2003 Service Pack 1 (SP1)-based computer. A hotfix is available if you are severely affected by this problem. Otherwise, we recommend that you wait for the next cumulative security update for Internet Explorer.
1. Re:Great, but when will they stop the crashes? by Anonymous Coward · 2006-09-12 16:56 · Score: 0
  
  Umm, if theres a hotfix available then they did fix that crash. Not sure what your goin for here.
2. Re:Great, but when will they stop the crashes? by rifter · 2006-09-13 06:24 · Score: 1
  
  Umm, if theres a hotfix available then they did fix that crash. Not sure what your goin for here.
  1) Hotfixes are generally only available from microsoft support after you call and pay with a credit card.
  2) Hotfixes are not real patches. That is, they aren't generally considered release quality code.
  3) When the patch comes out, it may not mesh well with the hotfix, owing in part to #2
  It sucks. Until a real patch is out, and available to everyone, Microsoft has not fixed the problem. And even then, judging by today's story, it is up in the air. To be fair this is not something that is unique to microsoft. Just about every software company has some equivolent to a hotfix, and software, even patches, is never guaranteed to be perfect. But still, to discount the previous poster's problem is to misunderstand the situation.
Re:Re-Re-Releases Ch-ch-changes by WillAffleckUW · 2006-09-12 10:30 · Score: 1

Ch-ch-ch-changes! Turn and face the strange changes ....

I knew Bill Gates was a David Bowie fan, but this is taking it too far!

--
-- Tigger warning: This post may contain tiggers! --
Well, turns out... by Anonymous Coward · 2006-09-12 10:37 · Score: 0

That reading slashdot at work is a good thing. My company is just gearing up for patching (big coporation) and our security department didn't know about this untill I pointed it out.
And MS says that Vista won't need... by Septicmadman · 2006-09-12 10:40 · Score: 1

Third-party security software, no one in their right (or even severly handicapped) mind would think such. Thank you for reconfirming my suspicions MS.
Re:Re-Re-Releases in other news... by Deathbane27 · 2006-09-12 10:40 · Score: 1

...Apple re-re-re-releases the P-P-P-Powerbook!

--
If it ain't broke, it needs more features!
Code reuse? by 140Mandak262Jamuna · 2006-09-12 10:49 · Score: 1

Related to compressed long URLs? Wasn't there a report about some compressed folders with sizes near multiples of 4K gets last chunk padded with 0xD? or something like that? At what point code reuse becomes bug reuse?

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:Code reuse? by Anonymous Coward · 2006-09-12 12:53 · Score: 0
  
  At what point code reuse becomes bug reuse?
  
  Depends on what you mean by code reuse. Remember kids, Copy-and-Paste is a design error.
Siebel by Jett · 2006-09-12 10:53 · Score: 1

Does it still break Siebel?
Sheeh! by Utopia · 2006-09-12 11:13 · Score: 1

There are people who still haven't upgraded to XP SP2 or 2003 SP1 ?

Microsoft shouldn't waste time patching/supporting these older browser versions.
1. Re:Sheeh! by Lord+Aurora · 2006-09-12 11:24 · Score: 1
  
  Microsoft shouldn't waste time patching/supporting these older browser versions.
  
  While your argument does have some merit, the whole "focus on the new stuff" idea isn't very helpful to a company's image. (Note to ACs: Perfect place to reply with "Can MS's image get any worse? LOLROFLMCBOFL!") For example, say you're playing an old-school game on the PC. Oh noes! It doesn't work. Why not? Well, the company's website says that only the FAQ pages for that game are still up, because they stopped giving specific support for it long ago. You're screwed! =(
  Anyway. /twocents
  
  --
  The heavens do not fall for such a trifle.
2. Re:Sheeh! by Anonymous Coward · 2006-09-12 11:44 · Score: 0
  
  Can MS's image get any worse? LOLROFLMCBOFL!
3. Re:Sheeh! by Darthmalt · 2006-09-12 11:56 · Score: 1
  
  I would agree that they should support old versions but at this point is there any reason for the home user not to upgrade to SP2? With the exception of buisness apps everything should be compliant by now.
4. Re:Sheeh! by mackyrae · 2006-09-12 12:04 · Score: 1
  
  I didn't upgrade til a few months ago (didn't realise it) and when I did all of a sudden my Windows isn't genuine. I know it wasn't pirated. Windows was on there when I bought it (from a reputable dealer, not someone off the street) at Best Buy.
  
  --
  look! it's a bird, it's a plane, it's....a girl? yes, a girl browsing Slashdot on Linux
5. Re:Sheeh! by /dev/trash · 2006-09-12 14:07 · Score: 1
  
  I'd be askin Best Buy for a refund.
6. Re:Sheeh! by Z34107 · 2006-09-12 16:36 · Score: 1
  
  While your argument does have some merit, the whole "focus on the new stuff" idea isn't very helpful to a company's image.
  
  They can create a "new stuff" patch for the old stuff, or people could just use the patch they already have. XP SP2 is free.
  
  --
  DATABASE WOW WOW
7. Re:Sheeh! by howlingmadhowie · 2006-09-12 18:23 · Score: 1
  
  no, it isn't free. not if it breaks dependencies and makes important software unuseable. the user has fallen into a proprietary software trap. what happens if the manufacturer of a software you use has gone out of business and sp2 breaks the software on your computer? if the software zou use(d) also saves information in a proprietary format, sp2 is suddenly enormously expensive.
You know, we also use "re-re" as well by SensitiveMale · 2006-09-12 11:20 · Score: 0, Offtopic

Of course, the political correctness gestapo will not allow me to explain more.
Exit Our Hero by RatBastard · 2006-09-12 11:43 · Score: 1

Bugs Bunny: And so, having re-redisposed of the monster, exit our hero through the front door, stage right.

--
Boobies never hurt anyone. - Sherry Glaser.
Microsoft borrowing from Tony the Tiger(TM) by Anonymous Coward · 2006-09-12 12:00 · Score: 0

"This patch is gonna be g-g-great!!!"
Fair enough. =D (n/t) by Lord+Aurora · 2006-09-12 12:09 · Score: 1

n/t

--
The heavens do not fall for such a trifle.
Nothing new by Anonymous Coward · 2006-09-12 12:30 · Score: 0

Apple had this before. If I remember correctly that 2005-007 security update was release 1.0 was following with a week or so with release 1.1.
The problem is with testing with the configuration of the majority of user has and using all of the functions therein. Also you may have fix one problem and broke another. But with M$ there is no excuse since they make the entire Windows OS.
Cocky eEye e-mail by kbinnie · 2006-09-12 14:15 · Score: 1

I've been on e_Eye's mailing list for awhile ever since I downloaded Retina. The message they sent regarding this patch release is as follows, "The re-release of MS06-042 comes as a result of eEye Digital Security finding yet another security vulnerability in the original MS06-042 patch. For those of you keeping score, it is now MS06-042: 0 and eEye Research: 2." Classic!
eEye? by Anonymous Coward · 2006-09-12 15:29 · Score: 0

eEye eEye oh oh..... what's wrong with it now?
second that by Anonymous Coward · 2006-09-12 16:04 · Score: 0

I'm too busy to follow all MS info here and there, this was a nice right on, straight forward, "slashdot note" about it. Yes I *do* have time to read slashdot :P
And nicely timed as I'm about to update 6 windows based servers at a company today. (Oh don't worry, the company has a few Mac OS X servers too)

-m10
Unit testing? by Mitch+Monmouth · 2006-09-12 16:25 · Score: 1

With so many engineers, you'd think they'd have a few to spare whom they could assign to writing unit tests. Microsoft seems to push these releases out after an all hands call to "try it out" rather than any comprehensive testing.
1. Re:Unit testing? by GetHimHesDifferent · 2006-09-12 20:24 · Score: 1
  
  Ah, but Nunit is open source isn't it?
  
  http://www.nunit.org/
Re:Re-Re-Releases in other news... by R3d+M3rcury · 2006-09-12 17:50 · Score: 1

Sounds like M-m-m-Max Headroom.

Actually, this reminds me of an old joke:

This opera singer was performing the famous aria 'Vesti la Giubba.' When he finished, the audience jumped to their feet and yelled "Encore! Encore!" So he sang it again. Again, the audience jumped to their feet yelling, "Encore! Encore!" So he sang it again. And again. And again. In fact, he sang it eight times. Finally, he walked out on stage and spoke to the audience.

"I'm honored," he said, "that you have asked me to sing this aria again. This has to be milestone in operatic history. Not even the great Enrico Caruso was ever asked to sing 'Vesti la Giubba' eight times! So thank you all for this tremendous honor."

"However, my throat is beginning to hurt and we still have the rest of the opera to complete. So I ask--nay, I beg you. Please don't ask me to sing this aria one more time."

An audience member shouts out, "You'll sing it 'til you get it right!"
What Do You Want to Patch Today? by LowLifeScum · 2006-09-12 22:07 · Score: 0

M$ Windoze!
Don't Get Comfortable Yet by Anonymous Coward · 2006-09-13 02:40 · Score: 0

After three months of being pounded with some of the largest Microsoft patch cycles, it looks as though they're providing us with a breather. Don't get too comfortable though, researchers seem to have plenty of Microsoft content in their queue. Look no further than the 7 pending advisories in the ZDI queue - http://www.zerodayinitiative.com/upcoming_advisori es.html for proof of that. I've made the following blog post discussing my thoughts on this months Microsoft patches - http://portal.spidynamics.com/blogs/msutton/.
QA by bean123456789 · 2006-09-13 04:38 · Score: 1

You would think by now they would have replaced the QA department or partner up with another security firm that can double check update before it goes out the door.