Microsoft has re-issued a critical security update for Explorer, two days later than planned.
The re-issued patch is important because it "fully resolves" a serious security bug Microsoft introduced with the original update, released on 8 August.
Microsoft acknowledged that there were problems with its update soon after it was issued. Websites that used HTTP1.1 compression to speed up the downloading of images could cause the browser to fail and users of Web-based applications such as PeopleSoft, Siebel, and Sage CRM had problems with the software.
The issue is not widespread as it does not affect the most recently updated version of Windows XP or 2000, but users of Internet Explorer 6 SP1 on Windows 2000 SP4 and Windows XP SP1 are affected.
Last week, Microsoft released a "hotfix" download that addressed these problems, but the software vendor also decided to take the unusual step of announcing it would re-release the entire update (MS06-042).
This would ensure that subscribers to Microsoft's automatic update services would automatically receive the fixed patch. That update was slated to have been released this Tuesday, but it was ultimately delayed because of an "issue discovered in final testing," Microsoft said.
Just as Microsoft was announcing this delay, security researchers at eEye Digital Security disclosed the security issue, saying that Microsoft's update had actually createda new IE bug that attackers could exploit to run unauthorised software on a PC.
No attacks exploiting this bug have been reported, but eEye believes that the issue is critical. "The bad guys basically know about this and know that it's an exploitable scenario," said eEye's chief hacking officer Marc Maiffret said.