September 9, 2003
|
A patch released by MSFT to fix a critical security vulnerability in its Internet Explorer browser does not work, according to security experts.
By Patrick Gray
The "object type" vulnerability was discovered by eEye Digital Security around four months ago. A patch was released on August 20th. It was then re-released on August 28th, because under some circumstances it had caused problems for some non-default operating system installations, according to eEye. The patch appears to be due for yet another rerelease because it simply doesn't fix the vulnerability it is supposed to, eEye said.
The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code.
MSFT representatives were not immediately available for comment.
Marc Maiffret, eEye's chief hacking officer, said the vulnerability is particularly critical, because it doesn't take a lot of effort to take advantage of it.
"It's pretty serious just because it's so easy to exploit... it doesn't require someone to know how to write buffer overflow exploits or anything like that," he said.
Maiffret says MSFT should have done a better job to begin with. "How do you take four months to fix something this simple and then not fix it correctly?" he asked. "It seems like they are taking security seriously... (but) at the same time, I don't think they're really investing."
The lack of suitably skilled security engineers within MSFT is one reason, Maiffret said, this incident--described by the researcher who discovered the flaw in the patch as a "pathetic oversight" -- has occurred.
"A lot of it comes from having the right people in-house," Maiffret said. "They have some very smart guys in there, but they definitely don't have enough."
The problem with the security fix was first made public by security news and discussion site Malware.com, and Maiffret was unsure whether MSFT was informed prior to that disclosure. "They discovered it and they're getting the information out there... I'm not sure if they gave MSFT the information, which is usually the best way," he said.
Before the release of the patch, Maiffret's team looked over the patch and didn't see any problems. However, Maiffret said the examination was a quick "once over" and not a detailed audit. "(Our) researchers were just helping out; it's not like (MSFT) was paying us for this," he said.
MSFT uses external security code auditors, which in this case were not doing enough, Maiffret said.
Concerned users can disable active scripting on their browsers to mitigate the vulnerability until MSFT updates the patch.
Back to the Top
|
New Adobe Creative Suites