Patch to a patch of a Microsoft patch needs patching
In the latest incident of a now-chronic problem that has been bugging Microsoft all year, a recent security patch now causes IE6 to crash in Windows XP...again.
In a classic Tim Conway comedy sketch, he plays a corpse being prepared for a funeral by mortician Harvey Korman. But one limb of Conway's body simply insists on sticking up in the air, and whenever Korman finally retracts it, another one pops up elsewhere.
Wednesday morning, Microsoft must have known what it was like to have been one of Carol Burnett's regulars, as the Internet Explorer team admitted that a chronic problem that was supposed to have been cumulatively updated by last Patch Tuesday's round of updates, causes a new problem: Internet Explorer 6 will crash on systems running Windows XP Service Pack 2.
"This might occur while navigating to a website," reads a post by IE security program manager Terry McCoy yesterday, "hosting considerable media content (for example: http://msn.com) resulting in Internet Explorer displaying a dialog that states 'Internet Explorer has experienced a problem and needs to close."'
Last February, URLMON.DLL was at the crux of another code instantiation vulnerability. After the fix was applied that month, a new form of the same problem cropped up in June.
The February vulnerability cropped up following a patch to a problem in URLMON.DLL that turned up in August 2006, after some users installed a previous patch and discovered that their IE6 would crash.
While Microsoft didn't provide specifics of today's problem up front in its latest messages to customers, it was the nature of the workaround it suggests in its security bulletin this morning that revealed another instance of the same old problem: One of IE's principal libraries, URLMON.DLL, has been patched periodically throughout the year to address issues with possible malicious remote code instantiation. The library's purpose is to provide an interface to IE's communications protocols using the Windows Component Object Model, and it's designed so that other programs can extend this interface for new protocol functions -- for instance, security routines.
Not just any component should be able to plug into the IE protocols, which is why filters are typically applied. Those filters are currently enrolled in the Windows System Registry, and this morning's workaround would effectively turn some of those filters off...which in the long run may not be a very good idea.
Nevertheless, McCoy is strongly recommending IE6 users to go ahead and apply the patch which causes the crash for security purposes, and then apply the workaround which could very well open up a new rash of problems.
Unlike the great Harvey Korman, some users out there may not be laughing hysterically.
10:30 am EST December 21, 2007 - This morning, Microsoft released a patch for the URLMON.DLL issue which its official download page states is a resolution to the issue. A Knowledgebase page linking to this download called it a "workaround," although the packaging of the download itself implies that it contains more than just a .REG file version of the Registry workaround procedure that Microsoft advocated a few days ago.
The download is being described as for users of Windows XP Service Pack 2, without mentioning whether those users have Internet Explorer version 6 or 7 installed. The issue only affected IE6 users, so theoretically, the patch should not apply to those with IE7 installed.