Microsoft Recalls Botched Browser Security Patch

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174366.html

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
10 Feb 2002, 7:16 PM CST

A collection of long-awaited security patches designed to plug several
critical holes in Internet Explorer was yanked from Microsoft's site
Thursday after the company found problems with the fix.

Approximately two hours after the cumulative patch for IE was loaded
to the company's Windows Update site Thursday, Microsoft "discovered
an error and halted the distribution process in order to conduct
further testing," according to a Microsoft representative.
 
The company did not say how many people downloaded the patch, which
was designated a "critical update."

The error resulted from the software "package" used to bundle the
patch code for distribution. The files within the package were fine,
and users who installed the fix do not need to take any action, the
spokesperson said.

Microsoft's Windows Update site early Thursday carried an announcement
of the cumulative patch, which was said to correct "all known security
flaws in Internet Explorer."

The vulnerability database maintained by SecurityFocus currently lists
at least nine security flaws in IE that have not been resolved by
Microsoft.

Tests of the patch downloaded by Newsbytes Thursday showed that the
fix failed to plug several known IE security issues.

The patch, which was assigned Update Version Q316059, appeared to
correct a serious flaw publicized Jan. 1 by security consultant Georgi
Guninski and referred to as the GetObject file disclosure
vulnerability.

Unpatched, the GetObject flaw could be used by a malicious Web site
administrator to view any known file on a target system. It may also
lead to the execution of arbitrary code, said Guninski, who classified
it as high risk.

The known bugs not fixed by the botched patch include two discovered
by a security researcher who uses the nickname ThePull. Those bugs
could allow a malicious site to steal a victim's browser cookies and
launch programs on the victim's computer, he said.

A demonstration of how the IE cookie-stealing flaw could be used to
hijack a person's MSN Messenger chat account was posted Friday on the
Bugtraq security mailing list.

Microsoft said it will conduct further testing and release the final
cumulative patch and accompanying security bulletin "shortly."

Security experts have expressed frustration with the slow pace at
which Microsoft has responded to the latest reports of IE flaws.

"If there's a security bug, they need to fix it right away - unless
their goal is to look like they're not releasing a lot of patches,"  
said Marc Maiffret, chief hacking officer for Eeye Digital Security, a
Windows security software firm.

For its part, Microsoft has criticized the way that some security
researchers handled the discovery of the IE flaws.

When ThePull published an advisory and demonstrations of the bugs on
Jan. 7, Microsoft refused to comment on the report, except to complain
that its publication may put Microsoft customers at risk and cause
"needless" confusion and apprehension.

"Responsible security researchers work with the vendor of a suspected
vulnerability issue to ensure that countermeasures are developed
before the issue is made public and customers are needlessly put at
risk," said the company in a statement last month.

But David Ahmad, editor of SecurityFocus' Bugtraq mailing list, said
Microsoft's unwillingness to acknowledge and openly discuss the flaws
was disturbing.

"They're going a step beyond not crediting the discoverers of flaws.  
Now they're pretending that the vulnerabilities and the researchers
who found them don't exist at all," said Ahmad.

The company's recall of the IE security patch follows the announcement
by Chairman Bill Gates last month of a new corporate strategy, dubbed
"Trustworthy Computing." Microsoft has resolved to treat security as a
top priority, even ahead of developing new product features, Gates
said.

A list of some of the pending security holes in IE is at
http://jscript.dk/unpatched/

Microsoft's security home page is at
http://www.microsoft.com/security/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.