Microsoft says flaws in patch may be a new vulnerability

Computerworld - Problems that researchers claim went unfixed in an Internet Explorer (IE) security patch released Wednesday may expose a potential new vulnerability, a Microsoft Corp. official said today.
Scott Culp, manager of Microsoft's Security Response Center, said the issues reported to the NTBugtraq mailing list expose a potential new vulnerability that appears similar "from the outside" to previous vulnerabilities when in fact, it affects a different piece of IE code.
"We are investigating it," Culp said. The company will work on a patch "if it turns out to be bona fide," he said.
In the meantime, Culp urged users to download the available patch that Microsoft released. The patch is designed to address six new vulnerabilities, as well as any previous vulnerabilities, found in Versions 5.01, 5.5 and 6.0 of its IE browser (see story).
The day after the patch was released, reports surfaced that it didn't address all of the vulnerabilities it claimed to fix (see story).GreyMagic Software, an Israeli security firm, reported to the NTBugtraq mailing list that Microsoft only patched symptoms of the vulnerability -- "not its root cause."
Culp said the overall scope of the vulnerability exposed by GreyMagic is very similar in appearance outside to the vulnerabilities addressed in Microsoft's latest security bulletin. "It's a completely different vulnerability in terms of where the flaw lies in IE," Culp said.
GreyMagic officials couldn't be reached for comment at deadline.
Russ Cooper, moderator of the Windows NT NTBugtraq mailing list and an analyst at TruSecure Corp. in Herndon, Va., said only Microsoft would know if the bug affects a different piece of code, since it has access to the source code. He said users are getting concerned that when patches come out, there will be fixes for the patches.
"Administrators are afraid in a number of days or a week, there will be a new version," he said.