On BNET: Get a replacement phone on the cheap
BNET Business Network:
BNET
TechRepublic
ZDNet
36 TalkBacks

By Matt Hines
Posted on ZDNet News: Feb 11, 2005 10:36:00 PM

Microsoft has urged customers to apply its latest security patches, after several companies published "proof of concept" attacks that exploit the flaws that the updates fix.

In a notice posted to its Web site late Thursday, the software giant highlighted proof-of-concept documentation, or sample software code to illustrate how a flaw might be used to attack a system, from two security software makers: Finjan Software and Core Security Technologies.

While Microsoft said it backs the disclosure of vulnerabilities and proof-of-concept code, a common practice in the IT security industry, it criticized the companies for publishing their test code mere hours after security patches had been released for the reported flaws.

"Microsoft will continue to support and advocate responsible disclosure, because we find it to be a vital tool to effectively identify and remedy security issues," the company said in its notice. "Microsoft is concerned that the publishing of proof-of-concept code within hours of the security updates being made available has put customers at increased risk."

Shortly after some of Core's proof-of-concept work was aired, an individual modified some of the code to create an actual threat, Microsoft said. The malicious code could expose computer users who have not yet installed its updates to attack, it said.

The software maker rapped Finjan, which reported a critical issue in Office XP, for posting its proof-of-concept code on the same day Microsoft issued a security bulletin to resolve the issue.

It said Core, which reported a critical issue in the PNG (portable network graphics) processing technology present in Microsoft Windows and MSN Messenger, also published proof-of-concept code on the Web the same day an advisory was released to address the problem.

The Redmond, Wash.-based software giant believes that the two security companies ignored an unspoken law among researchers to wait "a reasonable period of time," before publishing their work. Microsoft said those generally accepted industry practices give its customers more time to test, download and deploy necessary security updates.

Neither Finjan nor Core immediately responded to calls seeking comment on the Microsoft announcement. However, in a previous interview with CNET News.com, Finjan CEO Shlomo Touboul defended his company's practices around reporting Microsoft's vulnerabilities.

"People need to know that they have to be careful--and without education, people won't be careful," Touboul said. "I wouldn't say we are scaring people. I don't believe in panic, but in very calculated behavior."

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 36 Talkback(s)
good
this company has never produced stable code. i am sick and tired of being their ginea pig and beta tester for every little quirk they want to put in an operating system. i'm now up to windows 2000 and... (Read the rest)
Posted by: wessonjoe Posted on: 02/16/05 You are currently: a Guest | | Terms of Use
... funny  FreeBSD | 02/11/05
Me too.  LinuxHippie | 02/11/05
Where do u think it came from?  htotten | 02/12/05
ha  stevewoll | 02/12/05
Yeah  Jeff Spicoli | 02/12/05
lol  linuxoverwindows | 02/12/05
Hey Jeff, check this out:  hipparchus2000 | 02/14/05
*sniff* *sniff* i smell a troll  linuxoverwindows | 02/12/05
that's why you can get a windows XP licence for $1 on ebay  hipparchus2000 | 02/14/05
theyll be like mac...  linuxoverwindows | 02/12/05
Longhorn IS a UNIX clone... (nt)  Anti_Zealot | 02/13/05
Well, since I read the latest article from the editors  mlindl | 02/11/05
Users: Watch out for Microsoft.  DonnieBoy | 02/11/05
Microsoft should practice responsible  bjbrock | 02/11/05
Microsoft in decline ...  George Mitchell | 02/11/05
They've already jumped the shark......  dave95 | 02/11/05
Good  Chad_z | 02/12/05
good  wessonjoe | 02/16/05
What a joke...  ReFoRMaT | 02/12/05
im telling you... it happened with pcDOS...  linuxoverwindows | 02/12/05
Microsoft: Flip-Floppers Of The IT World  itanalyst | 02/12/05
terminal error  linuxoverwindows | 02/12/05
I knew there was a reason why I stopped reading your posts  IT Scion | 02/13/05
The ROGUE Code is Windoze and IE  realitycheck101 | 02/13/05
Do you write  BXLE | 02/13/05
You people are pathetic  BFD | 02/13/05
Keep in mind  skeptic tank | 02/14/05
You REALLY missed the point  Roger Ramjet | 02/14/05
I want to know about vulnerbilities NOW!  voska | 02/14/05
interesting....  tony_da_tyger | 02/14/05
Check this out! Windows update with Linux  ReFoRMaT | 02/14/05
Considering the fact that....  Stewart Cannon | 02/14/05
why have you got five machines?  hipparchus2000 | 02/14/05
My Windows box has never been infected  voska | 02/14/05
These patches trash my systems-never a virus  kwalker_z | 02/15/05
HOW LONG ??  wessonjoe | 02/16/05

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

Introducing SmartPlanet

  • Find thought-provoking progressive ideas on topics that intersect with technology, business and life. Visit Today
  • Technology, perspective, and insights shaping the world
  • Learn innovative and practical skills for your business and your life. SmartPlanet offers 360 degree coverage that you need to feel connected to the information that matters to the world at large. Go to SmartPlanet
advertisement
Click Here