Microsoft: Watch out for rogue code

Sample attack code released by security firms is putting unpatched PCs at risk, the software giant claims.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
2 min read
Microsoft has urged customers to apply its latest security patches, after several companies published "proof of concept" attacks that exploit the flaws that the updates fix.

In a notice posted to its Web site late Thursday, the software giant highlighted proof-of-concept documentation, or sample software code to illustrate how a flaw might be used to attack a system, from two security software makers: Finjan Software and Core Security Technologies.

While Microsoft said it backs the disclosure of vulnerabilities and proof-of-concept code, a common practice in the IT security industry, it criticized the companies for publishing their test code mere hours after security patches had been released for the reported flaws.

"Microsoft will continue to support and advocate responsible disclosure, because we find it to be a vital tool to effectively identify and remedy security issues," the company said in its notice. "Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk."

Shortly after some of Core's proof-of-concept work was aired, an individual modified some of the code to create an actual threat, Microsoft said. The malicious code could expose computer users who have not yet installed its updates to attack, it said.

The software maker rapped Finjan, which reported a critical issue in Office XP, for posting its proof-of-concept code on the same day Microsoft issued a security bulletin to resolve the issue.

It said Core, which reported a critical issue in the PNG (portable network graphics) processing technology present in Microsoft Windows and MSN Messenger, also published proof-of-concept code on the Web the same day an advisory was released to address the problem.

The Redmond, Wash.-based software giant believes that the two security companies ignored an unspoken law among researchers to wait "a reasonable period of time," before publishing their work. Microsoft said those generally accepted industry practices give its customers more time to test, download and deploy necessary security updates.

Neither Finjan nor Core immediately responded to calls seeking comment on the Microsoft announcement. However, in a previous interview with CNET News.com, Finjan CEO Shlomo Touboul defended his company's practices around reporting Microsoft's vulnerabilities.

"People need to know that they have to be careful--and without education, people won't be careful," Touboul said. "I wouldn't say we are scaring people. I don't believe in panic, but in very calculated behavior."