Microsoft Corp.s commitment to security, specifically its Trustworthy Computing initiative, is being questioned after its inaction regarding two new reports of security vulnerabilities in its products, security experts say.
Twice in the past three weeks, experts have issued reports of security flaws in Microsoft products, and both times the company remained silent, making no immediate public comment and issuing no fix.
The lack of communication has left users wondering if patches were in the works or even if the reported problems were legitimate.
The most recent report, posted to SecurityFocus BugTraq mailing list by researcher Mike Benham, explained a flaw in the way Internet Explorer handles digital certificates used in SSL (Secure Sockets Layer) connections to remote Web servers. Such certificates are typically issued and signed by CAs (certificate authorities) such as VeriSign Inc., which lists the Web site that owns them.
Benham found that most current versions of Microsofts Web browser fail to check the legitimacy of certificates issued by intermediate CAs. As a result, a malicious Web site operator could generate and sign a fake certificate for another site and collect credit card information and other data.
KDE Projects Konqueror is also vulnerable, but a patch was issued to secure that browser within hours of the disclosure. AOL Time Warner Inc.s Netscape Navigator and Opera Software ASAs Opera browsers are not susceptible to the problem.
While KDE was fixing the problem, Microsoft officials would say only that the company was investigating it. Nine days after the advisory was published, Microsoft posted an article to its TechNet site explaining the flaw and saying that the scenario and the likelihood of an attacker being caught make exploitation of the vulnerability unlikely.
Microsoft security officials said the delay was necessary to investigate the issue, since Benham released his advisory without notifying Microsoft first. The company said it will issue a patch, but officials could not say when.
“Its in the nature of these issues that we have to do highly detailed research,” said Scott Culp, manager of the Microsoft Security Response Center, in Redmond, Wash.
Truly Frustrating
Some customers are fed up.
“It is truly frustrating. I have vowed to eliminate using any Microsoft products because I am so frustrated over their Take a standard and modify it approach,” said James Rome, a senior scientist at Oak Ridge National Laboratory, in Oak Ridge, Tenn. “[But] it is impossible to not use IE. It lurks under the covers everywhere. If you do something like disable scripting in IE, other applications break.”
Others say that the problems often dont end when Microsoft does issue a patch.
“From the outside, there doesnt appear to be a reason Microsoft cant fix the immediate issue,” said Scott Blake, vice president of information security at BindView Corp., in Houston.
“[However] it doesnt solve the larger problem that it is possible to social engineer people into giving away confidential information over the Web to people they dont intend to give it to,” Blake said. “This flaw makes it easier, but fixing [it] doesnt fix the problem.”
Culp said the SSL problem is actually in the Windows code and not IE, which would complicate the process of producing a patch.
A similar situation occurred earlier this month when a researcher released a white paper claiming that the Win32 programming API in Windows is flawed in a way that allows attackers to gain escalated privileges once theyve accessed a PC. Microsoft did not make any public statements about the issue.
“They cant say anything definitive until they really know for sure, but they should make some statement,” said Chris Wysopal, director of research and development at @Stake Inc., a Cambridge, Mass., security consultancy and research company. “[The SSL problem] isnt a totally simple issue. But when they stay silent, it looks like they dont care.”
Wysopal also disputed Microsofts claims that attacks using the SSL vulnerability are unlikely. An attacker would use a stolen SSL certificate—not his own—making identification of the attacker much more difficult.
Related stories:
- IE Flaw Leaves Users Open to Data Theft
- Microsoft Patch Fixes Critical MCMS Flaws
- Microsoft to Boost Security Response
- Microsoft Shelled Out Millions on Security
- Interview: Trusting in Microsoft
- Whither Internet Explorer?
- More Security Coverage