"Critical" holes trouble Microsoft
The software giant releases a patch for a pair of security holes in its IE Web browser but is still investigating a vulnerability in Windows NT and Windows 2000.
The browser patch corrects two flaws. The first makes it possible for a malicious hacker to place code on a Web surfer's PC by way of a cookie. Cookies are small files that Web sites place in a secure area on surfers' PCs to track return visits. The flaw allows a script embedded in a cookie to be saved outside the secure area, on the PC's hard disk. The code can then be triggered the next time the surfer visits the site.
The second flaw would allow a malicious programmer to include code on a Web site that would automatically execute programs already present on a surfer's PC once the surfer visited the site.
Microsoft rated both flaws "critical" and advised PC users running version 5 through 6 of Internet Explorer to promptly download the new patch.
Microsoft does not have a patch yet, however, for a recently publicized hole in the software-debugging component of Windows NT and Windows 2000. Malicious users could take advantage of the flaw in the debug tool to gain elevated privileges on a server running either of the operating systems. They could then access, modify and delete otherwise protected files.
Reports of the hole began circulating in mid-March by way of security discussion groups and other Internet resources. But the flaw gained new attention Thursday when security services company Entercept Security Technologies issued a bulletin warning customers of the hole.
Entercept security expert Chad Harrington said the hole poses a moderate risk, because the attacker would have to exploit it in person rather than over the Internet. He said Entercept contacted Microsoft about the flaw more than two weeks ago but decided to go public with the problem now because news of the risk was spreading while Microsoft was still preparing a response.
"We were simply trying to educate people about something people in the hacking community already know about," Harrington said. "Generally we don't feel security researchers should publicize vulnerabilities until the software vendor has a fix...but this was a special case. The poison was already out there."
Microsoft is still researching the vulnerability, the company said in a statement, and it criticized those who originally publicized the vulnerability on the Bugtraq security discussion site. "We are concerned that this report has gone public before we've had a fair chance to investigate it," the statement read. "Its publication may cause our customers needless confusion and apprehension or possibly even put them at risk. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."
Microsoft is working with security researchers to develop guidelines about how and when software vulnerabilities should be reported. The issue has become part of the company's "Trustworthy Computing" campaign to make security a priority in its products.
Harrington said a temporary fix for the vulnerability was available from the Computer Emergency Response Team at the University of Stuttgart, Germany.