Article

Microsoft concerned about IE disclosure

Edward Hurley, SearchSecurity.com News Writer

Microsoft is downplaying the release of purported vulnerabilities in Internet Explorer 6. The flaws were revealed late last week.

"We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the

    Requires Free Membership to View

public reports," said Stephen Toulouse, security program manager for Microsoft Security Response Center, in a statement.

If a fix is needed, the company will take "appropriate action to protect" customers, either in the monthly patch release or an out-of-cycle patch, Toulouse said.

Late last week, Liu Die Yu, an independent Chinese security researcher, posted the details of several flaws affecting Internet Explorer 6 to security mailing lists. The vulnerabilities can allegedly allow remote attackers to compromise systems.

In an e-mail interview with SearchSecurity.com, Liu said he found the flaws through trial and error. "I just try and try," he said. "I only tested on IE6, but it doesn't mean they only work on IE6."

In Liu's opinion, the most severe flaw is one that could allow attackers to reach the local security zone and download a file and then execute it.

Since there is no patch available, security experts recommend disabling Active Scripting to minimize any risk associated with the flaws.

There are many non-technical issues surrounding the release of the vulnerabilities. Liu didn't give Microsoft a heads-up about them before releasing them because he felt slighted after the company allegedly didn't give him credit for finding a past flaw.

Microsoft was none too pleased with Liu's lack of cooperation. "Microsoft is concerned that these new reports of vulnerabilities in Internet Explorer were not disclosed responsibly, potentially putting computer users at risk," Toulouse said.

Coincidentally, Apple Computer Inc. faced a similar fate this week. A researcher released the details of a vulnerability he'd found in Apple's OS X operating system because he felt the company was dragging its feet on the matter.

FEEDBACK: Should the researcher have disclosed details of the latest flaws in IE to Microsoft before posting them to a security mailing list?
Send your feedback to the SearchSecurity.com news team.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: