IE Patch Intros New Exploitable Vulnerability

Researchers at eEye Digital Security warn that a browser bug diagnosed by Microsoft as an "unexpected crash" is actually an exploitable high-risk vulnerability.

On the same day Microsoft is expected to re-release an Internet Explorer security update, a private security research outfit is warning that the original patch actually introduced an exploitable vulnerability.

The new warning comes less than a week after Microsoft offered a private hotfix for the browser because of a glitch that caused unexpected crashes.

However, according to an advisory from eEye Digital Security, the browser crash could cause a "high risk" buffer overflow that could lead to code execution attacks.

"After investigating and confirming that indeed this is an exploitable condition, we are alerting people to the true severity of these crashing problems that people are experiencing, so that they can take the appropriate mitigation steps as need be," said Marc Maiffret, chief hacking officer at eEye, in Aliso Viejo, Calif.

Microsoft confirmed eEyes new discovery and said the updated IE patch would be delayed indefinitely.

"Due to an issue discovered in final testing that impacts a customers ability to broadly deploy the update, Microsoft will not be re-releasing MS06-042 today [Aug. 22]," a company spokesperson said in a statement sent to eWEEK.

Microsoft also posted a security advisory that pinpointed the issue as "long URLs to sites using HTTP 1.1 and compression."

The company also chided eEye for going public with its findings before a comprehensive fix could be made available.

However, Maiffret noted that his companys warning never included any details that could point to the cause of the bug.

Instead, he noted that Microsofts advisory mentions "long URLs" as the cause.

"We never mentioned long URLs publicly anywhere because we did not want to release any details," Maiffret said, pointing out that Microsoft has released more information on the bug than anyone else.

Maiffret said the exploitable flaw affects Windows 2000 with IE6 SP1 and MS06-042 hotfix installed; and Windows XP SP1 with IE6 SP1 and MS06-042 hotfix installed.

The original patches were shipped as part of the MS06-042 cumulative security update for Internet Explorer, but immediately after the release of the patch on Aug. 8, IE users complained that the browser was crashing when viewing certain Web sites.

On Aug. 11, Microsoft acknowledged the browser crash issues with a knowledge base article and said it was only happening on Web sites using the HTTP 1.1 protocol and compression.

A hotfix was offered to businesses through Microsofts PSS (Product Support Services), and the company said it would re-release the full IE update on Aug. 22.

According to eEyes Maiffret, the new exploitable issue is already known in research circles and exploit writers.

"[It] is important that IT administrators understand the true threat of this problem, that this is not simply a crashing bug as Microsoft has been incorrectly misrepresenting it, but in fact that it is an exploitable security bug," he said.

"Researchers and exploit developers know this, therefore it is extremely important that IT administrators are told what really is going on," he added.

Maiffret recommends that affected IE users disable HTTP 1.1 functionality in the browser.

He also suggested that Windows users upgrade to Windows XP SP2 (Service Pack 2) to protect against the vulnerability.

Public support for Windows XP SP1 ends in October 2006.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.