Microsoft takes third shot at buggy security patch

Microsoft Corp. just can't seem to shake problems with its MS06-042 update for Internet Explorer.

On Tuesday, Microsoft was forced to release its third version of the update because of a new security bug discovered in the update, according to Tony Chor, a group program manager with Microsoft.

First released on August 8, the critical patch fixes a handful of problems with the browser, but it has caused headaches for some users. Embarrassingly, it also introduced a security vulnerability into the browser, which was fixed last month.

"The original release of MS06-042 introduced a new security vulnerability for IE 6.0 SP1 users which we addressed in a subsequent re-release," he wrote in a Tuesday blog posting. "However... a similar vulnerability was also discovered in IE5.01 on Windows 2000, IE 6.0 SP1 (in a different location), and the original release of Windows Server 2003."

Microsoft customers ran into problems with MS06-042 soon after it was released. Web sites that used HTTP (HyperText Transfer Protocol) 1.1 compression to speed up the downloading of images could cause the browser to fail and users of Web-based applications such as PeopleSoft, Siebel, and Sage CRM had problems with the software.

Later in August, security researchers at eEye Digital Security Inc. disclosed that Microsoft had introduced a new critical security vulnerability in the update. Two days later Microsoft fixed the eEye bug in the MS06-042 re-release.

Apparently this re-release did not address this latest but "similar" vulnerability mentioned by Chor. Microsoft executives could not be reached immediately for comment.

Microsoft often re-issues its security updates to fix minor bugs, but the security issue discovered by eEye placed a lot more scrutiny on MS06-042. Ultimately the update proved to be an ordeal for Microsoft's Security Response Center, and for Microsoft customers.