PDA

View Full Version : More MS06-042 [patch] woes


davidh
August 23rd, 2006, 03:01 PM
More MS06-042 woes
Published: 2006-08-22,
Last Updated: 2006-08-22 23:35:49 UTC by Johannes Ullrich (Version: 1)

The hotfix for MS06-042, which was supposed to be released today, has been delayed. Worse: It turns out that MS06-042 introduced a new security problem. The crashes everyone is having so much fun with are just the tip of the iceberg. The issue can also be used to execute arbitrary code. In particular, note that MSFT's advisory essentially tells you how to exploit the issue. Exploits will likely follow very soon (days?).

http://isc.sans.org/diary.php?storyid=1627&rss

dh

Judy G. Russell
August 23rd, 2006, 04:45 PM
Okay. I'll bite. What the $%^&#$ is MS06-042?

Gary Maltzen
August 23rd, 2006, 05:21 PM
MS06-042 is the designation given to a recent Microsoft Internet Explorer 6 patch. At a minimum installing the patch causes IE6 to crash when the web site supplies a compressed document; it won't be very long before someone figures out how to exploit that crash.

davidh
August 23rd, 2006, 05:27 PM
Okay. I'll bite. What the $%^&#$ is MS06-042?
Sorry, it's the patch for IE 6 that came out in the MS August patch roll up (bundle whatever).

Apparently only certain server-side programs / web sites cause the patch to crash IE, but as the article states, the patch introduces new security hole(s) that are likely to be exploited in the wild very soon.

So for the home user, chances are that keeping the August roll up patch(s) is better than not having the patches installed.

I'm so used to seeing the MS issue numbers on Internet Storm Center that I get in the habit of thinking they are common knowledge, sorry.

dh

fhaber
August 23rd, 2006, 05:45 PM
Thanks, David.

(Judy: MSIE patch. They're going to have to patch it again.)

All: The vulnerability aside, what's broken seems considerably more broken under Win2000 and XPSP1 than it does under SP2. Some sites will just fail.

Warm up your FF and Operas, folks.

Judy G. Russell
August 23rd, 2006, 11:17 PM
At a minimum installing the patch causes IE6 to crash when the web site supplies a compressed document; it won't be very long before someone figures out how to exploit that crash.Oh now isn't that fun... Thanks.

Judy G. Russell
August 23rd, 2006, 11:18 PM
Warm up your FF and Operas, folks.That's all I use, so I feel fine.