Problems that researchers claim went unfixed in an Internet Explorer (IE) security patch released last Wednesday may expose a potential new vulnerability, a Microsoft official said last Friday.
Scott Culp, manager of Microsoft's Security Response Center, said the issues reported to the NTBugtraq mailing list expose a potential new vulnerability that appears similar "from the outside" to previous vulnerabilities when in fact, it affects a different piece of IE code.
"We are investigating it," Culp said. "If it turns out to be bonafide," the company will work on a patch, he said.
In the meantime, Culp urged users to download the available patch that Microsoft released. The patch is designed to address six new vulnerabilities, as well as any previous vulnerabilities, found in Versions 5.01, 5.5 and 6.0 of its IE browser.
The day after the patch was released, reports surfaced that the patch didn't address all of the vulnerabilities it claimed to fix. GreyMagic Software, an Israeli security firm, reported to the NTBugtraq mailing list that Microsoft only patched symptoms of the vulnerability -- "not its root cause."
Culp said the overall scope of the vulnerability exposed by GreyMagic is very similar in appearance outside to the vulnerabilities addressed in Microsoft's latest security bulletin. "It's a completely different vulnerability in terms of where the flaw lies in IE," Culp said.
GreyMagic officials could not be reached for comment at deadline.
Russ Cooper, moderator of the Windows NT NTBugtraq mailing list and an analyst at TruSecure Corp. in Herndon, Va., said only Microsoft would know if the bug affects a different piece of code, since it has access to the source code. He said users are getting concerned that when patches come out, there will be fixes for the patches.
"Administrators are afraid in a number of days or a week, there will be a new version," he said.