Security Expert Takes Issue With Rating of New IE Flaw | eWeek

Security Expert Takes Issue With Rating of New IE Flaw

Verfasst von
Dennis Fisher
Dennis Fisher
Dec 5, 2002
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

A security expert is taking Microsoft Corp. to task for what he says is a deliberate effort to downplay the severity of a newly discovered vulnerability in Internet Explorer.

Microsoft on Wednesday released a cumulative patch for IE, which also fixes a new flaw that the company said could allow a Web site to access information on users machines.

The company rated the vulnerability as “moderate” and said that attackers could read, but not change, files on a vulnerable machine or run without parameters an executable file already present on the computer. However, a well-known security researcher on Thursday posted a message to the BugTraq mailing list disputing Microsofts assessment of the vulnerability, saying that the flaw is much more severe than the company let on.

“Microsoft has given this vulnerability a maximum severity rating of moderate. Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft,” wrote Thor Larholm, a Danish security researcher with PivX Solutions LLC, a Newport Beach, Calif., security consultancy.

Larholm asserts that, contrary to the description of the problem in Microsofts advisory, an attacker exploiting the new vulnerability can actually modify files on the local machine, place arbitrary files on it and run any executable found on the machine with or without parameters.

Microsoft officials say they havent been able to reproduce Larholms results.

“We did take this particular issue into consideration, but at this point we havent found a way to do what hes talking about,” said David Gardner, security program manager at the Microsoft Security Response Center in Redmond, Wash. “We try to do the best we can to get the right severity rating. But the first thing to realize is that applying the patch takes care of the problem.”

The vulnerability, present in IE 5.5 and 6.0, is in the browsers cross-domain security model. The software performs incomplete security checks when certain object caching techniques are used in Web pages.

An attacker could exploit the flaw by either sending the malicious code to the user in an HTML mail message or luring the user to a Web page containing the code.

Larholm is well-known in the security community, mainly for his research on vulnerabilities in IE. He keeps a running list of the known, unpatched flaws in the browser, a tally which currently stands at 18.

Microsoft on Nov. 20 released another cumulative patch for IE that contained fixes for six new vulnerabilities. Larholm argues in his posting to BugTraq that Microsoft soft-peddled the most recent cumulative patch in order to avoid bad press.

“It seems that Microsoft [is] deliberately downplaying the severity of their vulnerabilities in an attempt to gain less bad press,” he wrote. “It sure would look bad to release two critical cumulative updates in just two weeks, but that is exactly what has been done.”

Five of the vulnerabilities in the Nov. 20 update are in fact rated “important,” which is one step below the most severe rating of “critical.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.