[ISN] Microsoft Recalls Botched Browser Security Patch

From: InfoSec News (isnat_private)
Date: Mon Feb 11 2002 - 00:00:08 PST

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - February 8th 2002"

    http://www.newsbytes.com/news/02/174366.html
    
    By Brian McWilliams, Newsbytes
    REDMOND, WASHINGTON, U.S.A.,
    10 Feb 2002, 7:16 PM CST
    
    A collection of long-awaited security patches designed to plug several
    critical holes in Internet Explorer was yanked from Microsoft's site
    Thursday after the company found problems with the fix.
    
    Approximately two hours after the cumulative patch for IE was loaded
    to the company's Windows Update site Thursday, Microsoft "discovered
    an error and halted the distribution process in order to conduct
    further testing," according to a Microsoft representative.
     
    The company did not say how many people downloaded the patch, which
    was designated a "critical update."
    
    The error resulted from the software "package" used to bundle the
    patch code for distribution. The files within the package were fine,
    and users who installed the fix do not need to take any action, the
    spokesperson said.
    
    Microsoft's Windows Update site early Thursday carried an announcement
    of the cumulative patch, which was said to correct "all known security
    flaws in Internet Explorer."
    
    The vulnerability database maintained by SecurityFocus currently lists
    at least nine security flaws in IE that have not been resolved by
    Microsoft.
    
    Tests of the patch downloaded by Newsbytes Thursday showed that the
    fix failed to plug several known IE security issues.
    
    The patch, which was assigned Update Version Q316059, appeared to
    correct a serious flaw publicized Jan. 1 by security consultant Georgi
    Guninski and referred to as the GetObject file disclosure
    vulnerability.
    
    Unpatched, the GetObject flaw could be used by a malicious Web site
    administrator to view any known file on a target system. It may also
    lead to the execution of arbitrary code, said Guninski, who classified
    it as high risk.
    
    The known bugs not fixed by the botched patch include two discovered
    by a security researcher who uses the nickname ThePull. Those bugs
    could allow a malicious site to steal a victim's browser cookies and
    launch programs on the victim's computer, he said.
    
    A demonstration of how the IE cookie-stealing flaw could be used to
    hijack a person's MSN Messenger chat account was posted Friday on the
    Bugtraq security mailing list.
    
    Microsoft said it will conduct further testing and release the final
    cumulative patch and accompanying security bulletin "shortly."
    
    Security experts have expressed frustration with the slow pace at
    which Microsoft has responded to the latest reports of IE flaws.
    
    "If there's a security bug, they need to fix it right away - unless
    their goal is to look like they're not releasing a lot of patches,"  
    said Marc Maiffret, chief hacking officer for Eeye Digital Security, a
    Windows security software firm.
    
    For its part, Microsoft has criticized the way that some security
    researchers handled the discovery of the IE flaws.
    
    When ThePull published an advisory and demonstrations of the bugs on
    Jan. 7, Microsoft refused to comment on the report, except to complain
    that its publication may put Microsoft customers at risk and cause
    "needless" confusion and apprehension.
    
    "Responsible security researchers work with the vendor of a suspected
    vulnerability issue to ensure that countermeasures are developed
    before the issue is made public and customers are needlessly put at
    risk," said the company in a statement last month.
    
    But David Ahmad, editor of SecurityFocus' Bugtraq mailing list, said
    Microsoft's unwillingness to acknowledge and openly discuss the flaws
    was disturbing.
    
    "They're going a step beyond not crediting the discoverers of flaws.  
    Now they're pretending that the vulnerabilities and the researchers
    who found them don't exist at all," said Ahmad.
    
    The company's recall of the IE security patch follows the announcement
    by Chairman Bill Gates last month of a new corporate strategy, dubbed
    "Trustworthy Computing." Microsoft has resolved to treat security as a
    top priority, even ahead of developing new product features, Gates
    said.
    
    A list of some of the pending security holes in IE is at
    http://jscript.dk/unpatched/
    
    Microsoft's security home page is at
    http://www.microsoft.com/security/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 04:32:14 PST