 |
 IE and Outlook flaws found...again
April 4, 2005
Two "severe" vulns in MS software have been reported by the security research company eEye Digital Security. According to the eEye's findings, two vulnerabilities found in Internet Explorer browser and an MS-Office included Outlook programs could easily result in a remote execution of malicious code on the affected computers. Although the flaws would not allow self-propagating worms to infiltrate a system, there is the potential of attackers installing backdoor Trojans without a person's knowledge, Ben Nagy, an eEye senior security engineer, said Friday.
Specifics of the problems have not been made available, as the company maintains that it won't disclose information to third parties until the manufacturer releases an advisory or patch. It did say both vulnerabilities are in the initial reporting stage and appear to be of high severity because they can be exploited remotely.
Marc Maiffret, chief hacking officer at eEye, said the flaws were rated "high-severity" because malicious hackers could run a successful exploit from anywhere on the Internet.
"If a user is tricked into going to a site carrying malicious code, they can become infected by just surfing across a banner ad," Ben Nagy, an eEye senior security engineer, pointed out. "Microsoft has acknowledged a vulnerability does exist and is real, but I doubt they will release a patch out of cycle," he added.
The software giant said it has reacted to the report and at present is evaluating the problem and making plans on future mitigation efforts.
"At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, and there is no customer impact based on this issue," she said in an e-mail. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through a service pack, our monthly release process or an out-of-cycle security update, depending on customer needs."
If a vulnerability does prove to be a critical one and while the remedy is being developed it's unclear what actions the users of the affected software should undertake. Security experts advise switching to alternate browsers and e-mail agents that are believed to be more aptly protected.
Microsoft's approach to fixing flaws found by a third-party contributors has been sharply criticized in the past. In one case, it took Microsoft six months to create and release a patch for a highly critical flaw reported by eEye.
"Over the last two years, they've gotten worse at releasing patches in a timely manner. When you take several months to release a patch for a very serious flaw, you leave your customers exposed. In Microsoft's case, they have to do better," Maiffret added.
"Whenever a vulnerability is privately reported, they do a code audit around the vulnerability to try to find other possible issues. That's the real reason it takes so long to get a patch. No matter what, it's unacceptable to take so long to fix something, especially when the risks are high," he added.
According to security alert processor and aggregator Secunia, more than 30 percent of the security holes found in IE remain unpatched.
|
|
