This morning we re-released three versions of our August 2006 cumulative security update (MS06-042). As I had written about before, the original release of MS06-042 introduced a new security vulnerability for IE 6.0 SP1 users which we addressed in a subsequent re-release. However, with the increased scrutiny this release received, a security researcher responsibly disclosed to us that a similar vulnerability was also discovered in IE5.01 on Windows 2000, IE 6.0 SP1 (in a different location), and the original release of Windows Server 2003 (not SP1). This re-release fixes that vulnerability.
This update is available through all of our normal release channels including Windows Update, Automatic Update, Download Center and our deployment tools such as WSUS. We recommend all affected customers install the update immediately. Users running Windows XP SP2, Server 2003 SP1 or any of the IE7 betas, IE7 Release Candidate 1, or Windows Vista are not affected and do not need to take action.
This release and the need for subsequent re-releases have certainly been a learning experience for us. This update cycle has not been an example of our best work, but as I mentioned earlier we have used this experience to improve our processes and increase transparency to ensure all of our releases are of the quality we expect and our customers deserve.
Tony ChorGroup Program Manager
edit: removed Download Center link