Web developer accuses Microsoft of second-rate security

NEWS Microsoft has come under fire yet again - this time from Spanish Web developer Juan Carlos Garcia Cuartango, who is claiming a hole in Internet Explorer (IE) is leaving users' hard drives open to hackers. Cuartango alerted Microsoft to the problem - nicknamed Cuartango Hole - last month and a patch was quickly released on the company's Web site. But according to the bug-hunter, the fix "was not good quality work". Cuartango was able to quickly demonstrate that the patch didn't fix a variant of the hole known as 'Son of Cuartango Hole' and posted an example of the new bug on his Web site. According to Microsoft, the problem occurs in an Untrusted Scripted Paste (USP) vulnerability, which allows a malicious user to paste a file name into the file upload control and gain access to computer files. The HTML script can be sent in an email or through a Web page. The variant involves a different way of putting the filename into the file upload control. Cuartango released details of the latest problem to the software giant on 10 November and it released an updated security bulletin yesterday. The Spanish developer claimed Microsoft was "trying to make as little noise as possible in order to minimise the issue". Microsoft's bulletin admitted: "Although the original patch corrected the problem, another method of putting a filename into the file upload intrinsic control was discovered subsequently." The hole affects IE 4.01 and Microsoft is "highly recommending that all affected customers - including anyone who downloaded the original patch before November 18 - download and install the updated patch to protect their computers". For more information see pages.whowhere.com/computers/cuartangojc or www.microsoft.com/security/bulletins