A representative of Microsoft, which has come under fire for its security policies, said the company had changed its original rating of a flaw in IE versions 5.5 and 6 as a result of comments posted to the Bugtraq online bulletin board by a security consultant.
As previously reported by CNET News.com, Thor Larholm, a vulnerability researcher with security consultancy Pivx Solutions questioned Microsoft's "moderate" rating--issued Wednesday--in a Buqtraq forum posting.
"Microsoft has given this vulnerability a maximum severity rating of moderate," Larholm wrote. "Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft."
Larholm characterised the initial rating as an attempt to downplay the second major Internet security bug found in a Microsoft product in about two weeks. The first security hole exposed millions of Web servers and PCs to potential hacking. That flaw likely affected the more than 4 million Web sites using Microsoft's Internet Information Server software.
"It seems like Microsoft is deliberately downplaying the severity of the vulnerabilities in an attempt to gain less bad press. It sure would look bad to release two critical cumulative updates in just two weeks, but that is exactly what has been done," Larholm wrote.
But Microsoft said Friday that it had simply missed an important detail when making its initial assessment of the flaw. By causing the company to do additional testing, Larholm's postings alerted Microsoft to the error.
"Information posted to NTbugTraq...prompted an investigation that uncovered a previously unknown exploit scenario," Microsoft said in a statement Friday. "The newly discovered exploit scenario...could allow a malicious user to run code on a user's computer via a specially crafted Web site or e-mail message--thus warranting a severity rating of critical."
A Microsoft representative confirmed during an interview that Larholm's postings contained the "information" referred to in the statement.
A perceived lack of security in Microsoft's products and in the computing industry as a whole prompted Bill Gates to deliver a widely publicised mandate to employees earlier this year, insisting that the issue become the company's first priority. Microsoft has also been at the center of a debate between software companies and security consultants about how and when vulnerabilities in products should be made public. And the company's rating of flaws in its products could become an even greater issue as enterprises try to make sense out of recent changes Microsoft has made to its ratings system.
In November, the computing titan altered its security-alert system, adding a fourth rating among other changes. The new system inserts a rating of "important" between "critical" and "moderate." The fourth designation is "low." Under the new mechanism, then, a "moderate" alert, like the one originally given to the IE flaw, is less severe than it would have been a month ago.
A bigger bug than bargained for
In Microsoft's original warning on the IE flaw, the company noted that a potential hacker exploit had been made possible by an error in how Internet Explorer 5.5 and 6 handle "Web objects." Using the exploit, hackers could eventually read any files on a victim's computer and launch certain programs on the machine. The hacker, however, would not be able to place programs on the invaded computer or change or delete files, the original posting said. But Larholm's messages to the Bugtraq forum questioned Microsoft's conclusions on how much damage a hacker could do, which lead to the company's additional tests.
"It seems like Microsoft has been able to reproduce an exploitable scenario, even before I got a chance to make my demonstration for them," Larholm said on Friday. "I am thrilled to see that the bulletin has been revised, but would have expected it to be truthful from the beginning without the need for public scrutiny."
Microsoft emphasised that the change in rating would not impact consumers or businesses that had already applied a fix for the security bug.
"The patches are unchanged," Microsoft said in a statement. "Customers who have already applied (the patch) are protected against this and past vulnerabilities. Our goal is to provide our customers with the most prescriptive, accurate and timely security information possible."
The patch is cumulative for other security bugs and can be applied to Internet Explorer 5.5 with Service Pack 2 installed, and to IE 6.
When it comes to security Microsoft are incompetent. How do you expect an incompetent to know the difference between a low, moderate and severe security flaw? They answer is they don't.
Microsoft focus on ease of use and functionality rather than security and while these are important security is more important. The problem is many companies and businesses share this philosphy (which is wrong) and invest in Microsoft technologies at the risk of security.
By companies and businesses becoming more security focused and not accepting insecure products alternatives like open source products for example will become more popular. This popularity will give Microsoft an incentive to do better.
Another way which I doubt will happen in Australia because of the current government is to enforce laws that makes Microsoft responsible for every flaw that's found in their operating system. This law overrides their EULA and makes Microsoft legally responsible for every flaw. When this happens Microsoft will make better secured products because the law requires them to do so.
Microsoft has been insecure for years it's a norm, it's a tradition at Microsoft. While Microsoft have been trying to change it seems the change is not working. For change to really work at Microsoft it needs to be forced.