Microsoft on Aug. 24 re-released its MS06-042 bulletin to provide patches for a code execution Internet Explorer flaw that was introduced by the original fix.
The reissued browser patch, which is effectively an out-of-band update, brings an end to an embarrassment episode that included a verbal spat between Redmond, Wash., software maker and a private security research firm.
Microsoft originally described the problem as a browser crash but was later forced to acknowledge the critical security risk after eEye Digital Security issued a public warning that the crash was remotely exploitable.
In the updated bulletin, Microsoft removed eEyes name from the list of companies credited with reporting the flaw.
“Unfortunately, eEye Digital Security chose to make the exploitability of the already public crashing issue widely available despite our concerns that this would put customers at risk,” a Microsoft spokesperson said.
“Therefore as per our acknowledgement policies, they are not credited in the bulletin as working with Microsoft responsibly to protect our customers,” he added.
The re-release was scheduled for Aug. 22 but was delayed for a few days because of problems with Microsofts patch delivery technology.
A source told eWEEK said the problems centered around the way Microsofts proprietary SMS (Systems Management Server) handled cabinet (.cab) files.
Mike Reavey, operations manager of the MSRC (Microsoft Security Response Center), defended the companys decision to delay the patch, arguing that a lot of customers affected by the bug would have had problems downloading the fix.
“A large number of our customers running Internet Explorer 6.0 SP1 are running it on Windows 2000, as that is the most current version of Internet Explorer for that platform. Those customers rely heavily on deployment tools such as the Microsoft Baseline Security Analyzer (MBSA) and the Inventory Tool for Microsoft Updates (ITMU). The problem we discovered late in testing was related to a background technology used by those deployment technologies,” Reavey said.
Because of the internal distribution problem, he said, a “significant portion of customers would have been unable to deploy the update” if it was rolled out on Aug. 22.
“This is very important. Because while some customers still using Internet Explorer 6.0 SP1 do utilize other detection and deployment technologies, a large portion still rely on the deployment technologies like MBSA and the ITMU due to their support of older products and infrastructures,” Reavey said.
MBSA (Microsoft Baseline Security Analyzer) and ITMU (Inventory Tool for Microsoft Updates) are used by IT professionals to help determine the security state and update compliance of managed systems.
“Because this directly affects the ability of those customers most affected by the re-release to protect themselves, we delayed the release to successfully address this issue so that all customers could protect themselves fully. We simply cannot leave those customers behind on a security release. We feel it this was the right call to make, and it was not an easy one,” he added.