By Patrick Grey, 9 September 2003 07:49
NEWS A patch released by Microsoft to fix a critical security vulnerability in its Internet Explorer browser does not work, according to security experts. The "object type" vulnerability was discovered by eEye Digital Security around four months ago. A patch was released on 20 August. It was then re-released on 28 August, because under some circumstances it had caused problems for some non-default operating system installations, according to eEye. The patch appears to be due for yet another re-release because it simply doesn't fix the vulnerability it is supposed to, eEye said. The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code. A Microsoft representative said the company was investigating the eEye report but added it has not received any reports of customers being affected by the claimed variation of the original vulnerability. The company is continuing to distribute the original patch and recommends Internet Explorer users who haven't applied it, do so promptly. Marc Maiffret, eEye's chief hacking officer, said the vulnerability is particularly critical, because it doesn't take a lot of effort to take advantage of it. "It's pretty serious just because it's so easy to exploit," he said. "It doesn't require someone to know how to write buffer overflow exploits or anything like that." Maiffret says Microsoft should have done a better job to begin with. "How do you take four months to fix something this simple and then not fix it correctly?" he said. "It seems like they are taking security seriously [but] at the same time, I don't think they're really investing." Maiffret said the lack of suitably skilled security engineers within Microsoft is one reason, this incident, described by the researcher who discovered the flaw in the patch as a "pathetic oversight", has occurred. "A lot of it comes from having the right people in-house," Maiffret said. "They have some very smart guys in there, but they definitely don't have enough." Patrick Grey writes for ZDNet Australia
In order to post a comment you need to be registered and logged in.
Log in or create your silicon.com account below