Microsoft Recalls Botched Browser Security Patch
Package was to fix 'all known security flaws in Internet Explorer.'
By Brian McWilliams, Newsbytes
Feb 11 2002 12:15AM PT
A collection of long-awaited security patches designed to plug several critical holes in Internet Explorer was yanked from Microsoft's site Thursday after the company found problems with the fix.
Approximately two hours after the cumulative patch for IE was loaded to the company's Windows Update site Thursday, Microsoft "discovered an error and halted the distribution process in order to conduct further testing," according to a Microsoft representative.
The company did not say how many people downloaded the patch, which was designated a "critical update."
The error resulted from the software "package" used to bundle the patch code for distribution. The files within the package were fine, and users who installed the fix do not need to take any action, the spokesperson said.
Microsoft's Windows Update site early Thursday carried an announcement of the cumulative patch, which was said to correct "all known security flaws in Internet Explorer."
The vulnerability database maintained by SecurityFocus currently lists at least nine security flaws in IE that have not been resolved by Microsoft.
Tests of the patch downloaded by Newsbytes Thursday showed that the fix failed to plug several known IE security issues.
The patch, which was assigned Update Version Q316059, appeared to correct a serious flaw publicized Jan. 1 by security consultant Georgi Guninski and referred to as the GetObject file disclosure vulnerability.
Unpatched, the GetObject flaw could be used by a malicious Web site administrator to view any known file on a target system. It may also lead to the execution of arbitrary code, said Guninski, who classified it as high risk.
The known bugs not fixed by the botched patch include two discovered by a security researcher who uses the nickname ThePull. Those bugs could allow a malicious site to steal a victim's browser cookies and launch programs on the victim's computer, he said.
A demonstration of how the IE cookie-stealing flaw could be used to hijack a person's MSN Messenger chat account was posted Friday on the Bugtraq security mailing list.
Microsoft said it will conduct further testing and release the final cumulative patch and accompanying security bulletin "shortly."
Security experts have expressed frustration with the slow pace at which Microsoft has responded to the latest reports of IE flaws.
"If there's a security bug, they need to fix it right away - unless their goal is to look like they're not releasing a lot of patches," said Marc Maiffret, chief hacking officer for Eeye Digital Security, a Windows security software firm.
For its part, Microsoft has criticized the way that some security researchers handled the discovery of the IE flaws.
When ThePull published an advisory and demonstrations of the bugs on Jan. 7, Microsoft refused to comment on the report, except to complain that its publication may put Microsoft customers at risk and cause "needless" confusion and apprehension.
"Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk," said the company in a statement last month.
But David Ahmad, editor of SecurityFocus' Bugtraq mailing list, said Microsoft's unwillingness to acknowledge and openly discuss the flaws was disturbing.
"They're going a step beyond not crediting the discoverers of flaws. Now they're pretending that the vulnerabilities and the researchers who found them don't exist at all," said Ahmad.
The company's recall of the IE security patch follows the announcement by Chairman Bill Gates last month of a new corporate strategy, dubbed "Trustworthy Computing." Microsoft has resolved to treat security as a top priority, even ahead of developing new product features, Gates said.
A list of some of the pending security holes in IE is at http://jscript.dk/unpatched/