Microsoft Patch for IE Flaws Is Incomplete

A group of security researchers that identified one of the vulnerabilities covered by a Microsoft Corp. advisory issued Wednesday said the patch Microsoft issued is incomplete and doesnt resolve the problem it is meant to fix.

The patch for a cross-site scripting vulnerability in Internet Explorer only addresses part of the problem and therefore only fixes IE 6.0; versions 5.01 and 5.5 are still vulnerable, according to GreyMagic Software, an Israeli security research firm.

“Microsoft did not understand the problem. They only patched a symptom of this vulnerability, not its root cause,” the company said in an advisory posted to the BugTraq mailing list. “As a result of that incomplete patch, IE 5 and IE 5.5 are still very much vulnerable to this attack in other resources.”

Microsoft security officials defended their actions, saying the patch that is available now is good and the issues that GreyMagic raised in its most recent advisory are new to them.

“We did a full investigation with all of the information we had available and we didnt find that 5.01 or 5.5 were vulnerable,” said Christopher Budd, security program manager at Microsoft. “The information that they released is different from the information we based our initial investigation on.”

However, the company on Thursday issued an updated bulletin which corrects a statement in the original that said a user would have to click on a link in order to launch the cross-site scripting attack. It also revises the potential damage that can be done by one of the listed attacks.

Budd also criticized GreyMagic for taking their problems with the bulletin public and not going directly to Microsoft.

“Its too bad they posted it publicly and caused some needless concern,” he said. “It wouldve been better if they had brought it to us instead of posting it.”