By Munir Kotadia, 11 February 2004 14:40
NEWS EEye, the company that originally discovered a critical Windows bug patched by Microsoft on Tuesday, says it is waiting on fixes for seven more Microsoft bugs - three of them meriting a "high" severity rating.
Microsoft released a patch for Windows on Tuesday that fixed one of the most severe security holes ever found in the operating system. Microsoft said it took more than six months to fix the problem and to make sure the patch was thoroughly tested. During this time, the vulnerabilities could have been exploited by another MSBlast-type attack, allowing a virus to rapidly infect a large number of internet-connected computers, according to security experts.
EEye now says it has reported another seven as-yet-unpatched bugs to Microsoft, some as long as five months ago. The company is listing the report dates and seriousness of the bugs on its website, but will reveal no further information until Microsoft has released fixes.
Two of eEye's most dangerous flaws were reported to Microsoft on 10 September 2003, while the third was brought to the company's attention a month later. According to eEye's website, the fixes are overdue by 94 and 66 days respectively.
EEye is one of many security research organisations reporting vulnerabilities to Microsoft, but is one of the few which allows the public to monitor the progress of its bug reports. Some researchers have been known to release public warnings about specific flaws if they judge a software vendor is taking too long to patch, a practice which vendors have heavily criticised.
According to eEye's website, full details of each vulnerability "will be disclosed to the public at the time a patch is released from the vendor".
Munir Kotadia writes for ZDNet UK
Comments
There are 10 comments. Join the discussion
1. David Thrower
It is not in Microsoft's commercial interests to write software , that they cannot monitor !
2. Eddie Bleasdale
This security weakness comes from integrating Internet Explorer into the operating system.
This is yet another example of very poor design on the part of Microsoft. All other web browsers run perfectly well without being incorporated into the operating system and most with superior performance. Would Microsoft explain its reasonings for integrating IE into the Windows operating system?
A simple way for organisations to avaoid the security weeknesses inherent in Internet Explorer is to change to the Mozilla web browser that runs on MS Windows, Apple Mac and Linux.
3. Dave Beall
Let Microsoft patch my computer? NO way, never have. I do not trust Microsoft to do the right thing. The right thing would be a patch to remove internet explorer from the opperating system. But the monopoly will not do the right thing. They might loose a dollar. I am so happy that microsoft is not in charge of my IT security. Besisdes, why leave security concerns in the hands of a company that is so 'profit' oriented.
4. anonymous
Seven more 'holes'.. MicroSoft reports on it's web-site !!. To me ,'the less I.T. literate / competant' ,this seems an invitation for those who might not have been aware of such to rush in and attempt to exploite ? regards , Arthur .
5. cyril williams esq.
msn charges criminally high prices for criminally terrible products that fail constantly. msn doesnt offer any support for their crapware. the commen user like myself who cant write code have only one chice...apple.....
6. Ian Savell
Maybe the blame lies not entirely with Microsoft, but partly with Intel and the rest of the processor designers.
I used to work on DEC VAX systems. I seem to recall that the VAX hardware could partition memory arbitrarily into code and data segments, with hardware faults being returned if you attempted to execute code in a segment marked as data or write data into a code segment.
While buffer overflows (the source of almost all Windows exploits) could still occur, they couldn't result in execution of arbitrary code.
Had Intel et al implemented similar security features when launching the Pentium, instead of just making it faster, we might not be in this position today.
7. Tim Brading
Previous writer - can't write code, can't spell either ;-)
8. anonymous
Spelling & grammer in previous comments is probably just MS spinners trying to deflect the crit. Nice try, but you still got to fix this one quick AND answer the genuine concerns. We're waiting!
9. William Bowden
The fault lies not with Microsoft but with us whilst we still buy their OS knowing their poor record then they will continue to write poor code.
would you fly in a plane that crashed atleast once a month, or allowed others to control it apart from the pilot.
Did not think so.
So there are better alternatives do not let Microsoft PR cloud your brain
10. Bob
Why does everyone believe that this vulnerability is caused by Internet Explorer? The vulnerability in question (ASN.1 or MS04-007) actually relates (in the most part) to certificates. The exploit is therefore not limited to IE, but also mail clients, Adobe acrobat reader and many other applications. Before people come up with ideas on how Microsoft should have developed their products, prehaps getting the facts straight would be more helpful.