Microsoft Corp.'s commitment to security, specifically its Trustworthy Computing initiative, is being questioned after its inaction regarding two new reports of security vulnerabilities in its products, security experts say.
Microsoft Corp.s commitment to security, specifically its Trustworthy Computing initiative, is being questioned after its inaction regarding two new reports of security vulnerabilities in its products, security experts say.
Twice in the past three weeks, experts have issued reports of security flaws in Microsoft products, and both times the company remained silent, making no immediate public comment and issuing no fix.
The lack of communication has left users wondering if patches were in the works or even if the reported problems were legitimate.
The most recent report, posted to SecurityFocus BugTraq mailing list by researcher Mike Benham, explained a flaw in the way Internet Explorer handles digital certificates used in SSL (Secure Sockets Layer) connections to remote Web servers. Such certificates are typically issued and signed by CAs (certificate authorities) such as VeriSign Inc., which lists the Web site that owns them.
Benham found that most current versions of Microsofts Web browser fail to check the legitimacy of certificates issued by intermediate CAs. As a result, a malicious Web site operator could generate and sign a fake certificate for another site and collect credit card information and other data.
KDE Projects Konqueror is also vulnerable, but a patch was issued to secure that browser within hours of the disclosure. AOL Time Warner Inc.s Netscape Navigator and Opera Software ASAs Opera browsers are not susceptible to the problem.
While KDE was fixing the problem, Microsoft officials would say only that the company was investigating it. Nine days after the advisory was published, Microsoft posted an article to its TechNet site explaining the flaw and saying that the scenario and the likelihood of an attacker being caught make exploitation of the vulnerability unlikely.
Microsoft security officials said the delay was necessary to investigate the issue, since Benham released his advisory without notifying Microsoft first. The company said it will issue a patch, but officials could not say when.
"Its in the nature of these issues that we have to do highly detailed research," said Scott Culp, manager of the Microsoft Security Response Center, in Redmond, Wash.