Application development Toolkit

Flaws dog Microsoft, despite IE patch

Tags:
Security Patch For Ie,
Security Patch For Windows NT,
Security Patch For Windows 2000,
Hacking

David Becker CNet

Published: 02 Apr 2002 10:35 BST

Microsoft released a patch late Thursday for a pair of "critical" security holes in its Internet Explorer Web browser but was still investigating a widely publicised vulnerability in its Windows NT and Windows 2000 operating systems.

The browser patch corrects two flaws. The first makes it possible for a malicious hacker to place code on a Web surfer's PC by way of a cookie. Cookies are small files that Web sites place in a secure area on surfers' PCs to track return visits. The flaw allows a script embedded in a cookie to be saved outside the secure area, on the PC's hard disk. The code can then be triggered the next time the surfer visits the site.

The second flaw would allow a malicious programmer to include code on a Web site that would automatically execute programs already present on a surfer's PC once the surfer visited the site.

Microsoft rated both flaws "critical" and advised PC users running version 5 through 6 of Internet Explorer to promptly download the new patch.

Microsoft does not have a patch yet, however, for a recently publicised hole in the software-debugging component of Windows NT and Windows 2000. Malicious users could take advantage of the flaw in the debug tool to gain elevated privileges on a server running either of the operating systems. They could then access, modify and delete otherwise protected files.

Reports of the hole began circulating in mid-March by way of security discussion groups and other Internet resources. But the flaw gained new attention on Thursday when security services company Entercept Security Technologies issued a bulletin warning customers of the hole.

Entercept security expert Chad Harrington said the hole poses a moderate risk, because the attacker would have to exploit it in person rather than over the Internet. He said Entercept contacted Microsoft about the flaw more than two weeks ago but decided to go public with the problem now because news of the risk was spreading while Microsoft was still preparing a response.

"We were simply trying to educate people about something people in the hacking community already know about," Harrington said. "Generally we don't feel security researchers should publicize vulnerabilities until the software vendor has a fix...but this was a special case. The poison was already out there."

Microsoft said in a statement that it is still researching the vulnerability, and appeared to criticize Entercept for raising the alarm. "We are concerned that this report has gone public before we've had a fair chance to investigate it," the statement read. "Its publication may cause our customers needless confusion and apprehension or possibly even put them at risk. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."

Microsoft is working with security researchers to develop guidelines about how and when software vulnerabilities should be reported. The issue has become part of the company's "Trustworthy Computing" campaign to make security a priority in its products.

Harrington said a temporary fix for the vulnerability was available from the German branch of the Computer Emergency Response Team.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.