[ISN] Download Problem Interferes with IE Patch Release

InfoSec News isn at c4i.org
Wed Aug 10 02:35:24 EDT 2005


By Ryan Naraine 
August 9, 2005 

Microsoft late Tuesday confirmed that its "critical" Internet Explorer
patches had to be pulled after a hiccup caused some of the downloads
to be corrupted.

The glitch was detected by users attempting to install the IE patch
from the Microsoft Download center.

"Shortly after we released the updates this morning we found that
several of the Internet Explorer updates provided only to the Download
Center were corrupted, breaking the digital signature and preventing
them from installing," a post on the official Internet Explorer Weblog

The patches posted on Microsoft Update and Windows Update were not
affected by the glitch and are installing properly.

"We've identified the problem, removed the affected updates from the
Download Center, and will repost them shortly to correct the issue,"  
said Jeremy Mazner, technical evangelist for Windows Vista and IE.

The cumulative IE update was part of the August release of six
security bulletins from the software maker to cover eight
vulnerabilities in the Windows operating system. The IE bulletin
carries a "critical" rating and delivers patches for three separate
remote code execution flaws in the world's most widely used browser.

The most serious of the three is a flaw in the way IE handles JPEG
images. An attacker could exploit the vulnerability by creating a
malicious JPEG image and luring a Web surfer to view the image. "An
attacker who successfully exploited this vulnerability could take
complete control of an affected system," the company said, adding that
the malicious image could also be distributed via e-mail.

The bulletin also includes patches for a cross-domain flaw in IE that
could lead to system takeover and information disclosure attacks.

A third remote code execution bug was found in the way the browser
instantiates COM Objects that are not intended to be used in Internet
Explorer. This flaw could also be exploited by an attacker to take
"complete control" of an unpatched system, Microsoft Corp. warned.

More information about the ISN mailing list