Security Expert Takes Issue With Rating of New IE Flaw | eWeek

Security Expert Takes Issue With Rating of New IE Flaw

Écrit par
Dennis Fisher
Dennis Fisher
Dec 5, 2002
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

A security expert is taking Microsoft Corp. to task for what he says is a deliberate effort to downplay the severity of a newly discovered vulnerability in Internet Explorer.

Microsoft on Wednesday released a cumulative patch for IE, which also fixes a new flaw that the company said could allow a Web site to access information on users machines.

The company rated the vulnerability as “moderate” and said that attackers could read, but not change, files on a vulnerable machine or run without parameters an executable file already present on the computer. However, a well-known security researcher on Thursday posted a message to the BugTraq mailing list disputing Microsofts assessment of the vulnerability, saying that the flaw is much more severe than the company let on.

“Microsoft has given this vulnerability a maximum severity rating of moderate. Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft,” wrote Thor Larholm, a Danish security researcher with PivX Solutions LLC, a Newport Beach, Calif., security consultancy.

Larholm asserts that, contrary to the description of the problem in Microsofts advisory, an attacker exploiting the new vulnerability can actually modify files on the local machine, place arbitrary files on it and run any executable found on the machine with or without parameters.

Microsoft officials say they havent been able to reproduce Larholms results.

“We did take this particular issue into consideration, but at this point we havent found a way to do what hes talking about,” said David Gardner, security program manager at the Microsoft Security Response Center in Redmond, Wash. “We try to do the best we can to get the right severity rating. But the first thing to realize is that applying the patch takes care of the problem.”

The vulnerability, present in IE 5.5 and 6.0, is in the browsers cross-domain security model. The software performs incomplete security checks when certain object caching techniques are used in Web pages.

An attacker could exploit the flaw by either sending the malicious code to the user in an HTML mail message or luring the user to a Web page containing the code.

Larholm is well-known in the security community, mainly for his research on vulnerabilities in IE. He keeps a running list of the known, unpatched flaws in the browser, a tally which currently stands at 18.

Microsoft on Nov. 20 released another cumulative patch for IE that contained fixes for six new vulnerabilities. Larholm argues in his posting to BugTraq that Microsoft soft-peddled the most recent cumulative patch in order to avoid bad press.

“It seems that Microsoft [is] deliberately downplaying the severity of their vulnerabilities in an attempt to gain less bad press,” he wrote. “It sure would look bad to release two critical cumulative updates in just two weeks, but that is exactly what has been done.”

Five of the vulnerabilities in the Nov. 20 update are in fact rated “important,” which is one step below the most severe rating of “critical.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.