Microsoft Ups IE Flaw to Critical
Move followed researcher's claims that the software giant deliberately downplayed the severity of the flaw.Microsoft Corp. on Friday upgraded the severity rating of its most recent cumulative patch for Internet Explorer after a security researcher posted to a mailing list information that showed a new flaw was more serious than the software giant realized. The patch, released last Wednesday, fixes a vulnerability in IE 5.5 and 6.0 in the browsers cross-domain security model. The software performs incomplete security checks when certain object caching techniques are used in Web pages. An attacker could exploit the flaw by either sending the malicious code to the user in an HTML mail message or luring the user to a Web page containing the code.
Microsofts original bulletin said that an attacker could not use the flaw to run code on a users machine, and the vulnerability was rated "moderate." However, a Danish security expert, well-known for finding vulnerabilities in IE, disputed this claim, saying that the flaw could be used to execute code on vulnerable machines. Thor Larholm, a vulnerability researcher at PivX Solutions LLC in Newport Beach, Calif., said Microsoft deliberately downplayed the severity of the problem. Officials at the Microsoft Security Response Center in Redmond, Wash., rejected this claim, saying that they had not been able to reproduce the results that Larholm had achieved.