IE Patch Intros New Exploitable Vulnerability

By Ryan Naraine Print this article Print

Researchers at eEye Digital Security warn that a browser bug diagnosed by Microsoft as an "unexpected crash" is actually an exploitable high-risk vulnerability.

On the same day Microsoft is expected to re-release an Internet Explorer security update, a private security research outfit is warning that the original patch actually introduced an exploitable vulnerability.

The new warning comes less than a week after Microsoft offered a private hotfix for the browser because of a glitch that caused unexpected crashes.

However, according to an advisory from eEye Digital Security, the browser crash could cause a "high risk" buffer overflow that could lead to code execution attacks.

"After investigating and confirming that indeed this is an exploitable condition, we are alerting people to the true severity of these 'crashing' problems that people are experiencing, so that they can take the appropriate mitigation steps as need be," said Marc Maiffret, chief hacking officer at eEye, in Aliso Viejo, Calif.

Microsoft confirmed eEye's new discovery and said the updated IE patch would be delayed indefinitely.

"Due to an issue discovered in final testing that impacts a customer's ability to broadly deploy the update, Microsoft will not be re-releasing MS06-042 today [Aug. 22]," a company spokesperson said in a statement sent to eWEEK.

Read the full story on eWEEK.com: IE Patch Intros New Exploitable Vulnerability

This article was originally published on 2006-08-22
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.