All the latest UK technology news, reviews and analysis
|
|
|
24 Nov 2005
Microsoft has lashed out at UK security firm Computer Terrorism for publishing details about a software vulnerability in Internet Explorer before the vendor had a chance to issue a patch.
Computer Terrorism issued a security advisory on Monday and published proof-of-concept code demonstrating how a known flaw in Internet Explorer could be used to execute code. The method could be used by an attacker to take control over a system.
The flaw was believed to have only a minor security impact, but the proof-of-concept code caused security firm Secunia to raise its severity rating to 'highly critical'.
It is common practice in the security industry to allow software vendors time to develop a patch before details about any vulnerabilities are published. Such details could help malware authors in creating exploits for the flaw and could put the security of end users at risk.
Microsoft is alleging that Computer Terrorism broke with that practice. " Microsoft is disappointed that certain security researchers have breached common industry practices and published proof-of-concept code potentially harming computer users," a company spokesman told vnunet.com.
"Microsoft continues to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so that they do not aid criminals in their attempt to take advantage of software vulnerabilities."
However, senior security research analyst Simon Robinson argued that Computer Terrorism had no choice. The Internet Explorer flaw was originally published in May but at the time was considered to form only a minor security threat.
"It should never have been classified as a low-level vulnerability," Robinson told vnunet.com. "It should have been a moderate risk. When we picked up that it could be exploitable, we were astonished at how easy it was."
By going public the firm sought to warn end users that they were facing a severe risk. "We had a strong belief that is was already being exploited in the wild," said Robinson.
He emphasised that the firm is talking to Microsoft about the security report and in other cases does follow the industry's non-disclosure guidelines.
"This case where the severity rating of a known flaw had to be elevated to 'highly critical' is unprecedented and justified a deviation from common practices," he said.
The reported flaw affects fully patched Windows systems running Internet Explorer. Users are advised to turn off JavaScript when they visit untrusted websites, or to switch to an alternative browser such as Opera or Firefox.
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
As part of a major implementation of a new inventory...
Information/Data Architect - MDM - Master Data Management...
Code Red Associates (CRA) is a leading supplier of Permanent...
A fantastic opportunity has arisen for an experienced...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Trees falling in the forest?
Correct me if I'm wrong, but I don't recall seeing any exploits that came out before a patch has been issued. This says to me that the bad guys haven't figured a way to exploit any of the unpatched vulnerabilities yet. No harm, no foul, and this makes it even more important that exploits not be disclosed no matter what MS does or does not do. I'd go along with playing the squeaky wheel role with MS - keep bugging them, maybe even announcing that there is an exploit possible to get their attention, but not disclosing the proof of concept. If the bad guys never figure it out, then no one is gets hurt, even if the risk remains.
Posted by: Al 02 Dec 2005
Come on M$!?!
Holy CRAP! Wow, if its an 18 month turn around on bugs thats freaky! Dose that only apply to minor bugs? or 'highly critical' ones too? I'd rather have a company release information to force M$ to fix the issue then wait 18 months thinking my fully patched system is Ok and M$ has fixed their stuff. Tosh in the US if you go after your manufacturer to fix the issue that M$ caused they are just gonna tell you to call M$, rarely do you get the service you paid for. And this release of information is not to Aid Script Kiddies and malicious hackers, but to show M$ that their minor issue is 'highly critical' and needs a fix!
Posted by: Demon 27 Nov 2005
Responsible Disclosure has failed
So far, including this one, there are 49 (!) unpatched critical security holes in IE and Microsoft doesn't even bother to fix 'em. The people at secure@microsoft.com simply ignore any bug report, don't give any reasonable answers and patches are never created. So far, Full Disclosure is the only way to actually enforce a reaction when they're unwilling. That's what Computerterrorism did, that's what I do.
Posted by: sdfdsfdsf 25 Nov 2005
Check your calendar...
The original exploit was discovered on May 31st, 2005. That's not 18 months notice!
Posted by: David Way 24 Nov 2005
Tosh!
I don't like having to come to M$'s defence but... May to November is 6 months, not 18. Also, you have to give the software developer time to fully investigate a 'flaw' before they can release a fix. M$ could easily fix EVERY possible security flaw in the OS.... simply shut it down. Then who would shout? I think it's about time the M$ bashers give them a bit of credit. These fixes come out preety quick given the complexity of the issues resolved. You much support does your computer vendor give you for free off the internet? I bet it's 1-3 years. Good for a piece of kit that costs over £1500!? Compar that to the support M$ give you on a piece of software that probably only added £100 ish to the price of the PC. If you wanted to get really strict, M$ aren't responsible anyway (in the UK atleast). It's the vendor of the merchandise that you as a customer should go to first. How many end users beat a path to the vendor though? However, what ever your feeling towards M$.... publically publishing an idiots guide on how to exploit ANY vulnerability to 'raise public awareness' is plan bl00dy stupid stpid stupid. IMHO. It impresses no-one with any intelligence and give script kiddies something to work on apart from the brain between their legs!! Give me another beer someone...
Posted by: HoG master 24 Nov 2005
They had plenty of time
They gave Microsoft a year and a half to patch the vulnerability. If it had been say, only a couple months, I'd say it was irresponsible of them, if not criminal, but this is likely a case of Microsoft simply ignoring vulnerabilities in order to release fewer patches and claim that Windows therefore must be more secure. I'm convinced that Microsoft doesn't even patch the vulnerabilities they find themselves, in order to protect their public image.
Posted by: David Finch 23 Nov 2005