August patch creates critical new vulnerability; Microsoft re-releases MS06-042

by John McCormick | Aug 28, 2006 7:00:00 AM

Tags: Patches, Microsoft Internet Explorer, John McCormick, Microsoft Corp., eEye Digital Security, Kevin Mitnick, security, IT Locksmith Newsletter

Takeaway: Microsoft re-issues the MS06-042 security bulletin to address the discovery of a critical new bug in the August 8 IE patch. Meanwhile, IBM makes a big acquisition, and a hacker gets a taste of his own medicine. Get the details about these and other security issues in this edition of the IT Locksmith.

Details

eEye Digital Security recently reported a critical NEW security bug in the August 8 Internet Explorer MS06-042 patch. The problem involves IT crashing and Microsoft reports the problem sometimes causes the display of this error message:

Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience. If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem.
We have created an error report that you can send to help us improve APPNAME. We will treat this report as confidential and anonymous.
To see what data this error report contains, click here.

Microsoft acknowledges the problem and updated the security article 923762 for the MS06-042 Bulletin. The problem apparently is affecting ONLY Internet Explorer 6 SP1 users, probably still found on many Windows 2000 with SP4 installed, and XP SP1 systems. eEye says it discovered the new security hole while investigating why the patch was causing Explorer to crash.

According to Microsoft, a workaround exists:
On the Tools menu, open Internet Options | Advanced. Go to the Settings box, clear the Use HTTP 1.1 check box, then OK the change.

On August 24 Microsoft re-released Microsoft Security Bulletin MS06-042 with version 2.0, addressing the problems discovered and caused by MS06-042 version 1.0.

In a separate threat update, eEye has also reported that a botnet which connects to IRC chat servers in China are attacking unpatched Windows 2000 systems.

The fix is to apply the patch from MS06-040, or block Firewall ports 139 and 455, but eEye also suggests the malware can attack through AOL's Instant Messenger.

Also watch for...

Facing a growing challenge from Microsoft, IBM has purchased security firm ISS for more than one billion dollars.

In a case which should incredibly embarrass born-again security "expert" Kevin Mitnick, the infamous hacker's personal web site was recently hacked and defaced. For those not familiar with the irony involved, check out the Wikipedia entry on Mr. Mitnick. (I wonder if Mr. Mitnick called the Secret Service to report the problem.)

Print/View all Posts Comments on this article

MS is not up to dateneville@...  | 08/29/06

And you wonder?mypl8s4u2  | 08/29/06

No problem on XPGovTech  | 08/29/06

So do what I have:btljooz  | 08/30/06

I am surprisedalle2003@...  | 09/04/06

Quel Supris.rmycroft2000@...  | 09/05/06