Microsoft Patches Broken Patch

Botched IE update disrupted browser authentication and help

Microsoft Corp.'s security update for its Internet Explorer Web browser was supposed to fix a vulnerability the company said would allow an attacker hosting a malicious Web site “to execute commands on a user’s system.” Unfortunately, in many cases the patch disabled the browser’s ability to authenticate users with some Web sites.

The patch, “February, 2003 Cumulative Patch for Internet Explorer (810847),” affected Internet Explorer 5.01, 5.1, and 6.0, and a range of Web sites requiring authentication, including subscription-based sites and MSN e-mail. Internet Explorer versions 5.0 and earlier may be similarly vulnerable, said Microsoft, but they are no longer supported.

The original security fix addressed two new vulnerabilities in Internet Explorer’s cross-domain security model. In one flaw, an attacker could craft code and put it on a Web site. When users encountered the code, it could deposit “a malicious executable onto the system and then run it,” according to Microsoft. In the other flaw, attackers could use the showHelp function—a method in Internet Explorer for displaying HTML help files—to read files on a user’s PC or read the user’s personal information.

Again, the user would have to click a malicious link at another Web site for this to work, or else the attacker would need to know exact pathnames of information to be purloined. On the other hand, the locations of many Windows file types are stored in identical directories across millions of PCs. This vulnerability could also be used to load malicious executables on a user’s computer.

The update fixes the showHelp attack simply by disabling showHelp. Another patch, “Critical Update 811630,” is needed to restore showHelp functionality.

The updated patch can be found at:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.