Security advisory instead of a patch for the patch
Massive security problems have forced Microsoft to postpone the exceptional patch for Internet Explorer SP1, originally announced to be released today. The patch for the update from last Patch Tuesday was intended to eliminate crashes that can occur during visits to web servers using compression and HTTP 1.1 to deliver data. The crash is caused by a buffer overflow through overlong URLs, and upon closer inspection this has turned out to be a critical security hole. According to statements from Microsoft and security service provider eEye, the code utilising this hole could be used to smuggle code onto a PC and then execute it. Up until now no sites have been observed actively using the exploit. Still, Microsoft's cumulative update MS06-042 not only closed holes, it also opened this new one.
Only Internet Explorer SP1 is affected. Users with Windows XP SP2 or Windows Server 2003 are not vulnerable to this hole – MS06-042 was clearly error-free in those areas. Users should under no circumstances uninstall the update. Microsoft instead recommends deactivating support for HTTP 1.1 (Tools/Internet Options/Advanced/HTTP 1.1 Settings). The browser can then only display websites delivered by the server in HTTP 1.0. The Redmond company is continuing work on a new patch for the patch, but has not yet announced a release date.
- Today's postponed re-release of MS06-042, and posting of a Security Advisory, Report from Microsoft Security Response Center
- Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit, Microsoft Security Advisory (923762)
- EEYE:ALERT: MS06-042 Related Internet Explorer 'Crash' is Exploitable, Flaw alert from eEye