Microsoft Investigates Windows Bug Warnings

 
 
By Ryan Naraine  |  Posted 2004-12-27
 
 
 
Microsoft Corp. on Monday chided a private research outfit for releasing proof-of-concept code for three potentially serious flaws in the Windows operating system, warning that irresponsible disclosure was not in the best interest of consumers.

The software giants rebuke comes five days after a Chinese community group called Xfocus Team said it discovered several high-risk vulnerabilities affecting multiple versions of Windows.

A spokeswoman for Microsoft said the company is actively investigating the Xfocus Teams findings, which were re-released by anti-virus vendor Symantec Corp. but attributed to a different researcher.

"Microsoft is disappointed that Xfocus took actions that could put computer users at risk by not following the commonly accepted industry practice of privately reporting security vulnerabilities to software vendors," the spokeswoman said.

She called on private researchers to follow the procedure for responsible disclosure, which she said allows vendors to review the reports for accuracy and to determine the best response for customers.

According to the Xfocus advisory, which was confirmed by Symantec Security Response, the most serious of the three vulnerabilities involves the Windows LoadImage API Function.

That bug was described as an integer overflow that could be exploited via browsers or e-mail client software. Users who open an HTML message or Web page bearing the image could face security risks.

The other two vulnerabilities were pinpointed in the Help system and in Windows ANI (Animated Cursor Image) format authentication.

Microsoft said it was not aware of any active, malicious attacks attempting to exploit the reported vulnerabilities, adding that there is no immediate customer impact based on the issues.

"Upon completion of [our] investigation, we will take the appropriate actions to protect customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," she said.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Rocket Fuel