Patch Tuesday Analysis for August 2006

Update on MS06-042 problems; if you haven't loaded MS06-040 install it YESTERDAY

MS06-042, the cumulative security patch for Internet Explorer (918899), has caused some real headaches for all of us in the user community and Microsoft.  Actually, the real culprit may lie with the security researcher who broke with responsible disclosure.  Here's what happened.  After the release of MS06-042 some researchers discovered and privately reported to Microsoft a defect in the patch that causes a crash on IE 6.0 SP1 systems with MS06-042 installed. Worse still the crash was exploitable meaning that installation of the security update introduced a new security hole.  Microsoft decided to hold off reporting this new vulnerability until they developed a fix.  One of the researchers disagreed and went public about the defect and its exploit details.  Microsoft is apparently having a difficult time fixing the problem which has forced them to delay the re-release of MS06-042.

So what should you do about MS06-042?  Read on.

Continue applying it.  If you are/have applied it to IE 6.0 SP1 computers you should also implement the work around described in the latest security advisory - Microsoft Security Advisory (923762): Long URLs to sites using HTTP 1.1 and compression Could Cause Internet Explorer 6 Service Pack 1 to Unexpectedly Exit.  This workaround has you disable http 1.1 protocol in IE.  You can use group policy to automate this change.  Disabling http 1.1 won't impact the browsing of most sites.

Now, let's talk about MS06-040 which is the update to the nasty vulnerability in the Server service.  Sometimes I hate being right.  On Patch Tuesday I said MS06-040 "would be a prime candidate for a worm infection vector" and sure enough, along came Graweg Saturday night.  The good news, if you are an XP and 2003 shop, is that Graweg only affected Windows 2000 systems but there's no reason to assume another exploit won't come along that spreads faster and does more damage.  So I strongly encourage you to scan your network with MBSA and patch any systems missing MS06-040 - Vulnerability in Server Service Could Allow Remote Code Execution (921883) before it's too late.

Receive Randy's same-day, independent analysis each Patch Tuesday

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.