The secret update -- the patch for the patch is now patched
On patch day, in addition to the new updates, Microsoft has also revisited two old ones - the cumulative IE update in MS06-042, which has been fixed once already, and the MS06-040 Server service patch. The latter is intended, according to Christopher Budd from Microsoft's security team, to resolve incompatibility issues. But the new IE update has a few surprises up its sleeve.
Group Manager Tony Chor explains the reasons for the new changes in the IE Blog. A new security vulnerability in Internet Explorer, similar to a previously resolved problem, was discovered. It occurred at a different point in the code and different program versions are affected too. Nonetheless a patch for this new flaw has been packed into the cumulative Internet Explorer update - published last month - retrospectively. This has already been modified once, after it initially opened up a new security vulnerability.
The problem occurs when parsing over-long URLs and carries the number CVE-2006-3873. It affects both Internet Explorer 5 and IE 6, where the current service packs for Windows 2003 Server (SP1) or XP (SP2) are not installed.
- Cumulative Security Update for Internet Explorer, Microsoft security bulletin MS06-042
- Vulnerability in Server Service Could Allow Remote Code Execution, Microsoft security bulletin MS06-040