Microsoft Patch for IE Flaws Is Incomplete
Update: Security researchers claim Microsoft's cumulative patch for six new vulnerabilities in Internet Explorer doesn't resolve the problem it is meant to fix.A group of security researchers that identified one of the vulnerabilities covered by a Microsoft Corp. advisory issued Wednesday said the patch Microsoft issued is incomplete and doesnt resolve the problem it is meant to fix. The patch for a cross-site scripting vulnerability in Internet Explorer only addresses part of the problem and therefore only fixes IE 6.0; versions 5.01 and 5.5 are still vulnerable, according to GreyMagic Software, an Israeli security research firm. "Microsoft did not understand the problem. They only patched a symptom of this vulnerability, not its root cause," the company said in an advisory posted to the BugTraq mailing list. "As a result of that incomplete patch, IE 5 and IE 5.5 are still very much vulnerable to this attack in other resources."
Microsoft security officials defended their actions, saying the patch that is available now is good and the issues that GreyMagic raised in its most recent advisory are new to them.