[ISN] IE Patch Intros New Exploitable Vulnerability

From: InfoSec News (alerts@private)
Date: Tue Aug 22 2006 - 23:58:13 PDT


http://www.eweek.com/article2/0,1895,2007109,00.asp

By Ryan Naraine 
August 22, 2006 

On the same day Microsoft is expected to re-release an Internet Explorer 
security update, a private security research outfit is warning that the 
original patch actually introduced an exploitable vulnerability.

The new warning comes less than a week after Microsoft offered a private 
hotfix for the browser because of a glitch that caused unexpected 
crashes.

However, according to an advisory from eEye Digital Security, the 
browser crash could cause a "high risk" buffer overflow that could lead 
to code execution attacks.

"After investigating and confirming that indeed this is an exploitable 
condition, we are alerting people to the true severity of these 
'crashing' problems that people are experiencing, so that they can take 
the appropriate mitigation steps as need be," said Marc Maiffret, chief 
hacking officer at eEye, in Aliso Viejo, Calif.

Microsoft confirmed eEye's new discovery and said the updated IE patch 
would be delayed indefinitely.

"Due to an issue discovered in final testing that impacts a customer's 
ability to broadly deploy the update, Microsoft will not be re-releasing 
MS06-042 today [Aug. 22]," a company spokesperson said in a statement 
sent to eWEEK.

Microsoft also posted a security advisory that pinpointed the issue as 
"long URLs to sites using HTTP 1.1 and compression."

The company also chided eEye for going public with its findings before a 
comprehensive fix could be made available.

However, Maiffret noted that his company's warning never included any 
details that could point to the cause of the bug.

Instead, he noted that Microsoft's advisory mentions "long URLs" as the 
cause.

"We never mentioned 'long URLs' publicly anywhere because we did not 
want to release any details," Maiffret said, pointing out that Microsoft 
has released more information on the bug than anyone else.

Maiffret said the exploitable flaw affects Windows 2000 with IE6 SP1 and 
MS06-042 hotfix installed; and Windows XP SP1 with IE6 SP1 and MS06-042 
hotfix installed.

The original patches were shipped as part of the MS06-042 cumulative 
security update for Internet Explorer, but immediately after the release 
of the patch on Aug. 8, IE users complained that the browser was 
crashing when viewing certain Web sites.

On Aug. 11, Microsoft acknowledged the browser crash issues with a 
knowledge base article and said it was only happening on Web sites using 
the HTTP 1.1 protocol and compression.

A hotfix was offered to businesses through Microsoft's PSS (Product 
Support Services), and the company said it would re-release the full IE 
update on Aug. 22.

According to eEye's Maiffret, the new exploitable issue is already known 
in research circles and exploit writers.

"[It] is important that IT administrators understand the true threat of 
this problem, that this is not simply a crashing bug as Microsoft has 
been incorrectly misrepresenting it, but in fact that it is an 
exploitable security bug," he said.

"Researchers and exploit developers know this, therefore it is extremely 
important that IT administrators are told what really is going on," he 
added.

Maiffret recommends that affected IE users disable HTTP 1.1 
functionality in the browser.

He also suggested that Windows users upgrade to Windows XP SP2 (Service 
Pack 2) to protect against the vulnerability.

Public support for Windows XP SP1 ends in October 2006.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Wed Aug 23 2006 - 00:15:43 PDT