A pair of newly discovered security flaws in Microsofts Internet Explorer and Outlook programs could put millions of users at risk of code execution attacks, a private research outfit warned Thursday.
The vulnerabilities were reported to Microsoft Corp. by private research outfit eEye Digital Security, and basic details on the risks and the affected products have been released on eEyes upcoming advisories Web page.
A spokeswoman for the software giant confirmed that engineers at the Microsoft Security Research Center were investigating the eEye discoveries.
“At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, and there is no customer impact based on this issue,” she said.
Once the investigation is done, she said Microsoft would “take the appropriate action” to protect affected users.
Under normal circumstances, Microsoft patches are released on a monthly cycle, but in cases of emergency, the company could release an out-of-cycle update.
Since adopting the monthly patching cycle in October 2003, Microsoft has released three out-of-cycle patches, all for “critical” flaws in the Internet Explorer browser.
Marc Maiffret, chief hacking officer at eEye, said the flaws were rated “high-severity” because malicious hackers could run a successful exploit from anywhere on the Internet.
“These are client-side vulnerabilities that could allow attacks via a Web browser or the Outlook client. The risk of a zero-day attack is quite high,” Maiffret said in an interview with eWEEK.com.
He said Microsoft was alerted to the first vulnerability March 16.
That bug was found in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction, he explained.
According to the eEye advisory, the vulnerabilities affect all versions of Windows NT 4.0, Windows 2000 and Windows XP, including Service Pack 2 (SP2).
More testing and a
Maiffret said eEyes researchers were still testing different configuration scenarios to determine whether users of Windows Server 2003 are affected.
A second advisory provides vague details on a similar issue, but Maiffret said it was not yet clear which platforms were affected.
“Microsoft has verified that these vulnerabilities are real, and its fair to expect them to treat this with the highest priority,” Maiffret said, adding that Redmonds engineers have historically been slow to react to major product flaws.
In one case, it took Microsoft six months to create and release a patch for a highly critical flaw reported by eEye.
“Over the last two years, theyve gotten worse at releasing patches in a timely manner. When you take several months to release a patch for a very serious flaw, you leave your customers exposed. In Microsofts case, they have to do better,” Maiffret added.
Microsoft officials say the complicated nature of testing patches for quality assurance is the reason for the delay, but Maiffret said he believes the problem is due to Microsofts insistence at running code audits for every reported vulnerability.
“Whenever a vulnerability is privately reported, they do a code audit around the vulnerability to try to find other possible issues. Thats the real reason it takes so long to get a patch. No matter what, its unacceptable to take so long to fix something, especially when the risks are high,” he added.
According to security alert aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched.