The browser patch corrects two flaws. The first makes it possible for a malicious hacker to place code on a Web surfer's PC by way of a cookie. Cookies are small files that Web sites place in a secure area on surfers' PCs to track return visits. The flaw allows a script embedded in a cookie to be saved outside the secure area, on the PC's hard disk. The code can then be triggered the next time the surfer visits the site.
The second flaw would allow a malicious programmer to include code on a Web site that would automatically execute programs already present on a surfer's PC once the surfer visited the site.
Microsoft does not have a patch yet, however, for a recently publicised hole in the software-debugging component of Windows NT and Windows 2000. Malicious users could take advantage of the flaw in the debug tool to gain elevated privileges on a server running either of the operating systems. They could then access, modify and delete otherwise protected files.
Reports of the hole began circulating in mid-March by way of security discussion groups and other Internet resources. But the flaw gained new attention Thursday when security services company Entercept Security Technologies issued a bulletin warning customers of the hole.
Entercept security expert Chad Harrington said the hole poses a moderate risk, because the attacker would have to exploit it in person rather than over the Internet. He said Entercept contacted Microsoft about the flaw more than two weeks ago but decided to go public with the problem now because news of the risk was spreading while Microsoft was still preparing a response.
"We were simply trying to educate people about something people in the hacking community already know about," Harrington said. "Generally we don't feel security researchers should publicise vulnerabilities until the software vendor has a fix...but this was a special case. The poison was already out there."
Microsoft said in a statement that it is still researching the vulnerability, and appeared to criticize Entercept for raising the alarm. "We are concerned that this report has gone public before we've had a fair chance to investigate it," the statement read. "Its publication may cause our customers needless confusion and apprehension or possibly even put them at risk. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk."
Microsoft is working with security researchers to develop guidelines about how and when software vulnerabilities should be reported. The issue has become part of the company's "Trustworthy Computing" campaign to make security a priority in its products.
Why is Microsoft so paranoid about people knowing what bugs it has? I'd like to know even if Microsoft doesn't have the answer. Sometimes they think they are God and take a very paternalistic attitude to their customers. We are not all suits. I am a computer scientist and like to know what the bugs and don't go into convulsions thinking what nasty hacker is going to do to my hard disk. I am forearmed but 3rd party like this article brought up. Stuff Microsoft's arrogance!!