Microsoft Ups IE Flaw to Critical

Move followed researcher's claims that the software giant deliberately downplayed the severity of the flaw.

Microsoft Corp. on Friday upgraded the severity rating of its most recent cumulative patch for Internet Explorer after a security researcher posted to a mailing list information that showed a new flaw was more serious than the software giant realized.

The patch, released last Wednesday, fixes a vulnerability in IE 5.5 and 6.0 in the browsers cross-domain security model. The software performs incomplete security checks when certain object caching techniques are used in Web pages.

An attacker could exploit the flaw by either sending the malicious code to the user in an HTML mail message or luring the user to a Web page containing the code.

Microsofts original bulletin said that an attacker could not use the flaw to run code on a users machine, and the vulnerability was rated "moderate." However, a Danish security expert, well-known for finding vulnerabilities in IE, disputed this claim, saying that the flaw could be used to execute code on vulnerable machines. Thor Larholm, a vulnerability researcher at PivX Solutions LLC in Newport Beach, Calif., said Microsoft deliberately downplayed the severity of the problem. Officials at the Microsoft Security Response Center in Redmond, Wash., rejected this claim, saying that they had not been able to reproduce the results that Larholm had achieved.

However, after further investigation, the MSRC was able to use the vulnerability to run code on another users machine. As a result, the company upgraded the severity of the vulnerability to "critical," the most severe rating.

"Information posted to [BugTraq] shortly after the release of MS02-068 prompted an investigation that uncovered a previously unknown exploit scenario. The newly discovered exploit scenario—still based on a vulnerability fixed in MS02-068—could allow a malicious user to run code on a users computer via a specially crafted Web site or e-mail message—thus warranting a severity rating of critical," said a Microsoft spokesman.