MS Corrects IE Patch Download Glitch

Less than 24 hours after pushing out patches for three critical Internet Explorer vulnerabilities, Microsoft has re-released the bulletin to correct a glitch that blocked some users from downloading the patches.

Microsoft Corp. did not say how the corrupted files ended up on the Microsoft Download Center. A brief note appended to the re-released MS05-038 bulletin noted simply that the original packages were causing some “installation failures.”

On the Microsoft Security Response Center Weblog, a company spokesman explained the hiccup as a “corruption” that occurred in one of the final stages of publication.

The official made it clear the IE patches delivered via Windows Update, Microsoft Update, and the Windows catalog were unaffected by the corruption. “[If] you got the update from the download center in the first few hours after the 10 a.m. release, then the update you downloaded would not install,” he explained.

/zimages/4/28571.gifClick here to read more about the original IE patch release.

” We immediately pulled the ability to get the updates from the Download Center, investigated the cause of the problem, and re-published the updates. The updates are now available on the Download center and we have re-released the bulletin to notify customers,” the spokesman added.

The cumulative IE update was part of the August release of six security bulletins from the software maker to cover eight vulnerabilities in the Windows operating system. The IE bulletin carries a “critical” rating and delivers patches for three separate remote code execution flaws in the worlds most widely used browser.

The most serious of the three is a flaw in the way IE handles JPEG images. An attacker could exploit the vulnerability by creating a malicious JPEG image and luring a Web surfer to view the image. “An attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company said, adding that the malicious image could also be distributed via e-mail.

The bulletin also includes patches for a cross-domain flaw in IE that could lead to system takeover and information disclosure attacks. A third remote code execution bug was found in the way the browser instantiates COM Objects that are not intended to be used in Internet Explorer. This flaw could also be exploited by an attacker to take “complete control” of an unpatched system, Microsoft warned.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.