Online business Toolkit

Microsoft plugs six browser holes

Tags:
Hole,
Cumulative Patch,
Security,
Vulnerability

Published: 12 Feb 2002 12:16 GMT

Microsoft released a collection of software fixes on Monday to plug six security problems in its Internet Explorer browser, including one that could be exploited to take over a victim's computer.

The advisory deemed as critical a vulnerability in the way Microsoft's browser opens external documents, but about which the software giant would say little for the past two months.

"We have said that the issue is under investigation," said a representative for the software giant.

The software flaw took Microsoft by surprise when a 31-year-old Austin, Texas-based security researcher using the handle "ThePull" posted details of the problem to a security mailing list.

The collection of software fixes, known as a cumulative patch, also fixes two flaws in the way Internet Explorer handles HTML, opens files, and executes certain scripts. The patch is available from Microsoft's Web site.

The release comes 48 hours after two security researchers pointed out that the security hole found in December can be combined with last week's minor privacy flaw in MSN Messenger to hijack MSN accounts.

"The flaw allows a malicious programmer, Web site or email to impersonate you completely," said Thor Larholm, an Internet programmer for Danish portal Jubii and one of two researchers who found the problem. "You can, in essence, use this to remote-control a victim."

Users are urged to download the latest patch.

Larholm, along with British Web developer Tom Gilder, outlined the security slip-ups on their Web site, including the fact that Microsoft posted a set of fixes for the problem last Thursday, but took it down not two hours later.

A Microsoft representative said that an error in the way the patch was distributed caused the company to pull it down and conduct further testing. Any Windows user who had already downloaded the patch during the two-hour window is fine, the representative said.

Both security experts said they were disturbed by Microsoft's slow response, especially with respect to the December security problem found by ThePull.

"Even when Microsoft patches the current round of security holes, it's only a matter of time before someone comes up with another one," said Gilder. "Domain-security related holes are reasonably frequent, and when the next one pops up MSN will be wide-open again."

Finding this one wasn't that difficult, Larholm said. "We sat down for 10 minutes and came up with this."

Microsoft has embarked on an initiative to eliminate such vulnerabilities from its software and services. Recently, in a memo to every employee, chairman Bill Gates stressed that the software titan needs to put security over features.

Gilder said the jury's still out on whether Microsoft is doing just that.

"Microsoft has said a lot of wise words recently, but I've not yet seen many of these actually being put into practice," Gilder said.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.