Security Expert Takes Issue With Rating of New IE Flaw

Thor Larholm claims Microsoft is deliberately downplaying the severity of a newly discovered vulnerability in Internet Explorer.

A security expert is taking Microsoft Corp. to task for what he says is a deliberate effort to downplay the severity of a newly discovered vulnerability in Internet Explorer.

Microsoft on Wednesday released a cumulative patch for IE, which also fixes a new flaw that the company said could allow a Web site to access information on users machines.

The company rated the vulnerability as "moderate" and said that attackers could read, but not change, files on a vulnerable machine or run without parameters an executable file already present on the computer. However, a well-known security researcher on Thursday posted a message to the BugTraq mailing list disputing Microsofts assessment of the vulnerability, saying that the flaw is much more severe than the company let on.

"Microsoft has given this vulnerability a maximum severity rating of moderate. Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft," wrote Thor Larholm, a Danish security researcher with PivX Solutions LLC, a Newport Beach, Calif., security consultancy.

Larholm asserts that, contrary to the description of the problem in Microsofts advisory, an attacker exploiting the new vulnerability can actually modify files on the local machine, place arbitrary files on it and run any executable found on the machine with or without parameters.

Microsoft officials say they havent been able to reproduce Larholms results.

"We did take this particular issue into consideration, but at this point we havent found a way to do what hes talking about," said David Gardner, security program manager at the Microsoft Security Response Center in Redmond, Wash. "We try to do the best we can to get the right severity rating. But the first thing to realize is that applying the patch takes care of the problem."

The vulnerability, present in IE 5.5 and 6.0, is in the browsers cross-domain security model. The software performs incomplete security checks when certain object caching techniques are used in Web pages.

An attacker could exploit the flaw by either sending the malicious code to the user in an HTML mail message or luring the user to a Web page containing the code.

Larholm is well-known in the security community, mainly for his research on vulnerabilities in IE. He keeps a running list of the known, unpatched flaws in the browser, a tally which currently stands at 18.

Microsoft on Nov. 20 released another cumulative patch for IE that contained fixes for six new vulnerabilities. Larholm argues in his posting to BugTraq that Microsoft soft-peddled the most recent cumulative patch in order to avoid bad press.

"It seems that Microsoft [is] deliberately downplaying the severity of their vulnerabilities in an attempt to gain less bad press," he wrote. "It sure would look bad to release two critical cumulative updates in just two weeks, but that is exactly what has been done."

Five of the vulnerabilities in the Nov. 20 update are in fact rated "important," which is one step below the most severe rating of "critical."