Today’s postponed re-release of MS06-042, and posting of a Security Advisory

Hi everyone, Stephen Toulouse here.  We wanted to provide you with information about the MS06-042 re-release that was scheduled to occur today.  As posted on August 15th, we noted we would be re-releasing MS06-042 today to address a crashing issue that could occur if you are using HTTP 1.1 in combination with Internet Explorer 6.0 SP1.  Late last night we discovered an issue that led us to the difficult but necessary decision to not release this update today.  Providing the update in its current state would have resulted in customers being unable to deploy the update.  Once that issue is resolved we will of course release the update. 


The far more difficult problem revolves around the nature of the crash itself.  Shortly after the release of MS06-042, independent security researchers responsibly disclosed to us the fact that they had discovered the crash was exploitable.  We worked with them responsibly during the creation of the update. As soon as we knew we would have to halt the re-release, we informed the third party researchers.  Due to the fact we did not want to communicate the existence of the exploitability of the crash prior to an update being available, we also began the process of holding our communication on the issue so that attackers would not have clear public information available that the current problem was exploitable. 


This was another difficult decision on our part.  There was no intent here to misrepresent the issue as not being exploitable.  Often times however, we find ourselves in the position of having to strike a balance between providing information equally to users who would use the information to protect themselves, and attackers who, history has proven, will immediately use the information for criminal purposes.  In this case, we felt that, due to the fact the platform and specific vector of the crash was known, publicly disclosing that it was an exploitable security vulnerability prior to our being able to provide customers with an update to address it would have breached our position on responsible disclosure and would have put customers at increased risk.


Unfortunately, one of the security researchers who reported this to us disagreed with our decision to hold communications and has publicly pointed out the exploitability of the specific crash and the affected platform.  Up until now, we have not seen any attacks using this vulnerability, nor have we seen broad awareness of this vulnerability.  Since the exploitability of this is public now however, there is certainly increased risk of attack.  We have issued a security advisory detailing workarounds and mitigations for the vulnerability while we have our teams working at full speed to resolve the quality issue and release the update as soon as it meets our quality bar.


The Internet Explorer team, as part of our original intended communications on this event, had worked up a blog entry on what they learned from the incident and what processes have changed.  Now that the issue is public, while we are working to provide the update, they have made that posting available here.


To be clear, this issue does not impact other versions of Internet Explorer, such as Internet Explorer on Windows XP SP2 or Internet Explorer on Windows Server 2003 or Windows Server 2003 SP1. As always, we will be using the blog and our security advisory to keep you up to date if we now see attacks as the result of the public information.




[EDIT: Changed title from “Canceled” to “Postponed” since we will indeed be re-releasing the update in the future]

*This posting is provided “AS IS” with no warranties, and confers no rights.*