Botched Browser Security Patch
Results 1 to 6 of 6

Thread: Botched Browser Security Patch

  1. #1
    Forgotten Ghost RogueSpy's Avatar
    Join Date
    Aug 2001
    Location
    Cyberspace
    Posts
    783

    Exclamation Botched Browser Security Patch

    Microsoft Recalls Botched Browser Security Patch

    Package was to fix 'all known security flaws in Internet Explorer.'
    By Brian McWilliams, Newsbytes
    Feb 11 2002 12:15AM PT

    A collection of long-awaited security patches designed to plug several critical holes in Internet Explorer was yanked from Microsoft's site Thursday after the company found problems with the fix.

    Approximately two hours after the cumulative patch for IE was loaded to the company's Windows Update site Thursday, Microsoft "discovered an error and halted the distribution process in order to conduct further testing," according to a Microsoft representative.

    The company did not say how many people downloaded the patch, which was designated a "critical update."

    The error resulted from the software "package" used to bundle the patch code for distribution. The files within the package were fine, and users who installed the fix do not need to take any action, the spokesperson said.

    Microsoft's Windows Update site early Thursday carried an announcement of the cumulative patch, which was said to correct "all known security flaws in Internet Explorer."

    The vulnerability database maintained by SecurityFocus currently lists at least nine security flaws in IE that have not been resolved by Microsoft.

    Tests of the patch downloaded by Newsbytes Thursday showed that the fix failed to plug several known IE security issues.

    The patch, which was assigned Update Version Q316059, appeared to correct a serious flaw publicized Jan. 1 by security consultant Georgi Guninski and referred to as the GetObject file disclosure vulnerability.

    Unpatched, the GetObject flaw could be used by a malicious Web site administrator to view any known file on a target system. It may also lead to the execution of arbitrary code, said Guninski, who classified it as high risk.

    The known bugs not fixed by the botched patch include two discovered by a security researcher who uses the nickname ThePull. Those bugs could allow a malicious site to steal a victim's browser cookies and launch programs on the victim's computer, he said.

    A demonstration of how the IE cookie-stealing flaw could be used to hijack a person's MSN Messenger chat account was posted Friday on the Bugtraq security mailing list.

    Microsoft said it will conduct further testing and release the final cumulative patch and accompanying security bulletin "shortly."

    Security experts have expressed frustration with the slow pace at which Microsoft has responded to the latest reports of IE flaws.

    "If there's a security bug, they need to fix it right away - unless their goal is to look like they're not releasing a lot of patches," said Marc Maiffret, chief hacking officer for Eeye Digital Security, a Windows security software firm.

    For its part, Microsoft has criticized the way that some security researchers handled the discovery of the IE flaws.

    When ThePull published an advisory and demonstrations of the bugs on Jan. 7, Microsoft refused to comment on the report, except to complain that its publication may put Microsoft customers at risk and cause "needless" confusion and apprehension.

    "Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk," said the company in a statement last month.

    But David Ahmad, editor of SecurityFocus' Bugtraq mailing list, said Microsoft's unwillingness to acknowledge and openly discuss the flaws was disturbing.

    "They're going a step beyond not crediting the discoverers of flaws. Now they're pretending that the vulnerabilities and the researchers who found them don't exist at all," said Ahmad.

    The company's recall of the IE security patch follows the announcement by Chairman Bill Gates last month of a new corporate strategy, dubbed "Trustworthy Computing." Microsoft has resolved to treat security as a top priority, even ahead of developing new product features, Gates said.

    A list of some of the pending security holes in IE is at http://jscript.dk/unpatched/ .

    Source: SecurityFocus
    "Never give in-never, never, never, in nothing great or small, large or petty, never give in to convictions of honor and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy!" - Winston Churchill

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    1,193
    RogueSpy - good post. I downloaded what I think is the new one last night and applied it.


    pos antipoint headed your way...
    Trappedagainbyperfectlogic.

  3. #3
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    Rogue, do you sit on SecurityFocus waiting for new articles to come out? Just curious.

    I am still waiting for the day Microsoft releases a fix that doesn't include new holes. I think it has happened once or twice, but not very often. At least this time they caught it, and pulled the patch before everyone installed it and opened themselves up to new vulnerabilities.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    HHAHAHAHAHAHAHAHA!!!!!

    I can't stop laughing. Good find. How hilarious.

    M$-"We're commited to security", not to quality code.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Forgotten Ghost RogueSpy's Avatar
    Join Date
    Aug 2001
    Location
    Cyberspace
    Posts
    783
    Originally posted by souleman
    Rogue, do you sit on SecurityFocus waiting for new articles to come out? Just curious.
    Actually, I go there every chance I get to see whats new. Yes. Hope noone objects to me posting newz here. If so, just say so & I will stop.
    "Never give in-never, never, never, in nothing great or small, large or petty, never give in to convictions of honor and good sense. Never yield to force; never yield to the apparently overwhelming might of the enemy!" - Winston Churchill

  6. #6
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Don't stop. I don't have enough time in the day to read all of the shite that's pushed at me. Having at least another set of eyes looking is a great asset.

    Keep it up.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •