From: /m 


http://weblog.infoworld.com/techwatch/archives/007870.html

===
It's patch Tuesday again, and Microsoft's hoping three's a charm for its
wayward Cumulative IE patch, MS06-042. The company quietly re-released
(actually re-re-released) 042 today to fix yet another security hole
introduced by the software update. MS06-042 wasn't listed among the new
fixes in the September patch release, but the company pushed out an update
fixing the new hole, according to the company's Web page.

Meet the new patch. Same as the old patch. According to Microsoft's
security bulletin, the IE patch was updated September 12 to fix another
remote code execution vulnerability in IE's handling of long URLs from
Websites using HTTP 1.1 protocol and compression. That's almost identical
to the problem introduced in the original version of the patch, then
discovered by security researchers at eEye Digital Security.

Come Back to the Five and Dime, Stevie T. Microsoft's inability to nail
down the Long URL problem raises questions about the performance of the
MSRC, which had gained a solid reputation for patch testing and
distribution in recent years. With Vista nearing completion, the ranks are
shifting within Microsoft's security Technology Unit (STU). Long time STU
VP Mike Nash went on sabbatical in June after four years at the helm. More
recently, MSRC program manager Stephen Toulouse announced that he was
shifting his energies from security response to Vista's security features.

"There seems to have been a lot of management execution problems at
Microsoft over this Internet Explorer MS06-042 patch," said Marc
Maiffret, the Chief Hacking Officer at eEYE. "They have now
re-released it a second time and again only because indep[en]dent third
party researchers told them about it. Hopefully this is not a sign of some
downswing, lack of focus, on their Trustworthy Computing initiative."
===

 /m

--- BBBS/NT v4.01 Flag-5