Microsoft patch opens users to attack

Microsoft patch opens users to attack
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 General Computer Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Microsoft patch opens users to attack imhotep 08-23-2006
Posted by imhotep on August 23, 2006, 11:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Microsoft patch opens users to attack

"The flaw, initially thought to only crash Internet Explorer, actually
allows an attacker to run code on computers running Windows 2000 and
Windows XP Service Pack 1 that have applied the August cumulative update to
Internet Explorer 6 Service Pack 1, security firm eEye Digital Security
told SecurityFocus on Tuesday. The update, released on August 8, fixed
eight security holes but also introduced a bug of its own, according to
Marc Maiffret, chief hacking officer for the security firm, which notified
Microsoft last week that the issue is exploitable."

http://www.securityfocus.com/news/11408?ref=rss

--Imhotep

Posted by Roger Abell [MVP] on August 24, 2006, 10:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Old news, and as mentioned in a number of prior threads, MS initially
anticipated releasing updated patch on Aug 22 for W2k Sp4 running
IE 6 Sp 1, which is the only currently supported OS config impacted
(i.e. update a vulnerable XP to SP2 to become immune to this).

Again, your provided quote does not make clear that only W2k Sp4
is affected, and only if it has IE at IE 6 Sp1, nor does it make clear
that anyone running XP at Sp1 is missing a number of patches (not
released for Sp1) making this issue relatively unimportant for them.

On Aug 22 the bulletin and KB were updated to advise that issues had
been found requiring further quality assurance time.
http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx
http://support.microsoft.com/kb/923762/

If you would provide links to the primary information sources rather
than only quotes of third-party digests, people would have the full info,
would not have been mislead in thinking this systemic to more OS/IE
combos, people would have had access to recommendations on what
to do and that the patch update is "on the way", and I would not have
needed to correct this.

Roger



> Microsoft patch opens users to attack
>
> "The flaw, initially thought to only crash Internet Explorer, actually
> allows an attacker to run code on computers running Windows 2000 and
> Windows XP Service Pack 1 that have applied the August cumulative update
> to
> Internet Explorer 6 Service Pack 1, security firm eEye Digital Security
> told SecurityFocus on Tuesday. The update, released on August 8, fixed
> eight security holes but also introduced a bug of its own, according to
> Marc Maiffret, chief hacking officer for the security firm, which notified
> Microsoft last week that the issue is exploitable."
>
> http://www.securityfocus.com/news/11408?ref=rss
>
> --Imhotep



Posted by Roger Abell [MVP] on August 24, 2006, 12:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Well, guess I better get with the program . . .
http://support.microsoft.com/?kbid=918899
was again updated later Aug 23 and now shows that for
http://support.microsoft.com/kb/923762/
the issue some are reporting as (potentially) exploitable,
IE 6 Sp1 without statement limiting to OS is impacted.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

> Old news, and as mentioned in a number of prior threads, MS initially
> anticipated releasing updated patch on Aug 22 for W2k Sp4 running
> IE 6 Sp 1, which is the only currently supported OS config impacted
> (i.e. update a vulnerable XP to SP2 to become immune to this).
>
> Again, your provided quote does not make clear that only W2k Sp4
> is affected, and only if it has IE at IE 6 Sp1, nor does it make clear
> that anyone running XP at Sp1 is missing a number of patches (not
> released for Sp1) making this issue relatively unimportant for them.
>
> On Aug 22 the bulletin and KB were updated to advise that issues had
> been found requiring further quality assurance time.
> http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx
> http://support.microsoft.com/kb/923762/
>
> If you would provide links to the primary information sources rather
> than only quotes of third-party digests, people would have the full info,
> would not have been mislead in thinking this systemic to more OS/IE
> combos, people would have had access to recommendations on what
> to do and that the patch update is "on the way", and I would not have
> needed to correct this.
>
> Roger
>
>
>
>> Microsoft patch opens users to attack
>>
>> "The flaw, initially thought to only crash Internet Explorer, actually
>> allows an attacker to run code on computers running Windows 2000 and
>> Windows XP Service Pack 1 that have applied the August cumulative update
>> to
>> Internet Explorer 6 Service Pack 1, security firm eEye Digital Security
>> told SecurityFocus on Tuesday. The update, released on August 8, fixed
>> eight security holes but also introduced a bug of its own, according to
>> Marc Maiffret, chief hacking officer for the security firm, which
>> notified
>> Microsoft last week that the issue is exploitable."
>>
>> http://www.securityfocus.com/news/11408?ref=rss
>>
>> --Imhotep
>
>



Posted by imhotep on August 25, 2006, 6:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Roger Abell [MVP] wrote:

> Well, guess I better get with the program . . .
> http://support.microsoft.com/?kbid=918899
> was again updated later Aug 23 and now shows that for
> http://support.microsoft.com/kb/923762/
> the issue some are reporting as (potentially) exploitable,
> IE 6 Sp1 without statement limiting to OS is impacted.
>


Is that an apology?

-- Imhotep


Posted by Roger Abell [MVP] on August 26, 2006, 2:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> Roger Abell [MVP] wrote:
>
>> Well, guess I better get with the program . . .
>> http://support.microsoft.com/?kbid=918899
>> was again updated later Aug 23 and now shows that for
>> http://support.microsoft.com/kb/923762/
>> the issue some are reporting as (potentially) exploitable,
>> IE 6 Sp1 without statement limiting to OS is impacted.
>>
>
>
> Is that an apology?
>

No.

An update.



Similar ThreadsPosted
More zero-day attacks plague Microsoft users October 1, 2006, 12:34 am
Microsoft Warns of PowerPoint Attack October 13, 2006, 11:32 pm
WMF Exploit patch January 2, 2006, 2:34 pm
Any study on patch availability? December 24, 2004, 6:11 pm
Patch management factors January 29, 2005, 7:22 pm
Seeking Expert in Patch Management Software February 14, 2005, 12:23 pm
HPSBMA02133 SSRT061201 rev.3 - HP Oracle for OpenView (OfO) Critical Patch Update January 26, 2007, 6:42 am
HPSBMA02133 SSRT061201 rev.4 - HP Oracle for OpenView (OfO) Critical Patch Update April 19, 2007, 6:18 pm
HPSBMA02133 SSRT061201 rev.5 - HP Oracle for OpenView (OfO) Critical Patch Update July 26, 2007, 11:37 am
HPSBMA02133 SSRT061201 rev.7 - HP Oracle for OpenView (OfO) Critical Patch Update January 17, 2008, 8:32 am

The site map in XML format XML site map

Contact Us | Privacy Policy