Third time a charm for IE patch?

Microsoft issues a third version of a troubled Internet Explorer patch to fix a bug in an earlier update.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

Joris Evers

Sept. 14, 2006 7:03 a.m. PT

2 min read

Microsoft has issued a third version of a troubled Internet Explorer patch, aiming to fix a bug in an earlier update that could be exploited to hijack Windows PCs.

The original MS06-042 patch, released on Aug. 8, introduced not one, but two new security holes. Microsoft addressed one flaw in an updated version of the patch released Aug. 24 and dealt with the second flaw in the third version released Tuesday, Tony Chor, a group program manager on the IE team at Microsoft, wrote on a corporate blog.

MS06-042, a cumulative security update for the widely used Web browser, was one of a dozen security updates delivered last month and was meant to repair eight flaws. Microsoft tagged the update "critical," its most severe rating.

The patch now fixes 10 flaws, including two introduced by earlier versions of the update. The first bug affected IE 6.0 with Service Pack 1 and could be exploited by remote attackers to commandeer a Windows PC. The second flaw is similar, but affects IE 5.01 on Windows 2000, IE 6.0 Service Pack 1 (in a different location), and IE in the original release of Windows Server 2003.

"This update cycle has not been an example of our best work, but...we have used this experience to improve our processes and increase transparency to ensure all of our releases are of the quality we expect and our customers deserve," Chor wrote.

This is one of the first times a Microsoft security patch has introduced a new vulnerability, leaving customers in a "darned if you do and darned if you don't position," said Mark Shavlik, chief executive of patch management company Shavlik Technologies.

"A user who has either the first or second version of MS06-042 installed may get hacked if they visit an evil Web site with Internet Explorer," Shavlik said in an e-mailed statement.

The third version of the IE patch was released alongside three new Microsoft security updates in the company's regular monthly update cycle. The company also issued a new version of Windows patch MS06-040 to fix a problem some people experienced with the original update on 64-bit and 32-bit versions of Windows Server 2003 with Service Pack 1 and Windows XP Professional x64 Edition. The company last month made available a "hotfix" to temporarily fix the glitch.

The updates are available through all of Microsoft's regular release channels, including Windows Update, Automatic Update and Download Center, and via patch deployment tools such as Windows Server Update Services. Microsoft recommends that all those affected install the new software immediately.