Microsoft rapped over 'incomplete' patch

The latest major patch for Internet Explorer (IE), released by Microsoft on Wednesday, has come under attack from the security community for not doing what it says on the tin.

According to a discussion which kicked off on security forum Bugtraq yesterday, Microsoft's MS02-23 cumulative patch "promises to eliminate six newly discovered vulnerabilities, but fails to do so".

One expert, Thor Larholm, pointed out that Microsoft had not properly addressed the cross-site scripting vulnerability.

The main hole here, the dialogArguments glitch, has only been patched in IE6, leaving IE5 and 5.5 still vulnerable to attacks which can be exploited through email, contrary to Microsoft's claims.

Example code on the GreyMagic.com security site proves this to be true.

"The demonstration was fixed instead of the vulnerability," said Larholm. "It could appear as though Microsoft is not actively keeping up with the security community and its publications.

"The issue was originally demonstrated with a resource file only found in IE6. Microsoft has fixed the vulnerability in IE6 only."

GreyMagic.com said that Microsoft had misunderstood the issue with its patch for the cross-site scripting vulnerability.

"Microsoft did not understand the problem. It only patched a symptom of this vulnerability, not its root cause," said the site. "As a result of that incomplete 'patch' IE5 and 5.5 are still very much vulnerable to this attack in other resources."

Larholm added that other excerpts in the cumulative patch "behaved properly" but still allowed some symptoms such as local file reading. "Likely not a job full done," he said.

Larholm has put up a list of IE vulnerabilities and their patching status here.

"Yesterday I hosted a list of 14 publicly known un-patched vulnerabilities" before Microsoft released the uber patch. "Today I host a list of 12 such," he said.

Microsoft's take on the vulnerabilities can be found here.