• silicon.com
• Management
• CIO Insights

By Joe Wilcox, 9 December 2002 08:40

NEWS Microsoft has raised its threat rating for a security flaw in its Internet Explorer browser to "critical" in response to criticism of its initial assessment of the hole's danger. A representative of Microsoft, which has come under fire for its security policies, said the company had changed its original rating of a flaw in IE versions 5.5 and 6 as a result of comments posted to the Bugtraq online bulletin board by a security consultant. Thor Larholm, a vulnerability researcher with security consultancy Pivx Solutions questioned Microsoft's "moderate" rating - issued last Wednesday - in a Buqtraq forum posting. "Microsoft has given this vulnerability a maximum severity rating of moderate," Larholm wrote. "Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft." Larholm characterised the initial rating as an attempt to downplay the second major internet security bug found in a Microsoft product in about two weeks. The first security hole exposed millions of web servers and PCs to potential hacking. That flaw likely affected the more than four million websites using Microsoft's Internet Information Server software. "It seems like Microsoft is deliberately downplaying the severity of the vulnerabilities in an attempt to gain less bad press. It sure would look bad to release two critical cumulative updates in just two weeks, but that is exactly what has been done," Larholm wrote. But Microsoft said that it had simply missed an important detail when making its initial assessment of the flaw. By causing the company to do additional testing, Larholm's postings alerted Microsoft to the error. "Information posted to NTbugTraq... prompted an investigation that uncovered a previously unknown exploit scenario," Microsoft said in a statement on Friday. "The newly discovered exploit scenario... could allow a malicious user to run code on a user's computer via a specially crafted website or e-mail message - thus warranting a severity rating of critical." A Microsoft representative confirmed during an interview that Larholm's postings contained the "information" referred to in the statement. Microsoft emphasised that the change in rating would not impact consumers or businesses that had already applied a fix for the security bug. "The patches are unchanged," Microsoft said in a statement. "Customers who have already applied (the patch) are protected against this and past vulnerabilities. Our goal is to provide our customers with the most prescriptive, accurate and timely security information possible." The patch is cumulative for other security bugs and can be applied to Internet Explorer 5.5 with Service Pack 2 installed, and to IE 6. Joe Wilcox writes for News.com