However, security research firm GreyMagic Software issued a press release Monday stating that Microsoft made several inaccurate statements in its latest security advisory--first by minimizing the potential risks of cross-domain security, then by implying that the current security patch fixes more than it does.
I believe there's a bigger issue at stake here, and that's the way GreyMagic is publicly discussing Microsoft's security matters. Microsoft and the U.S. government argue that this sort of behavior will lead to further malicious attacks on the Internet, and serve no one.
I disagree. Microsoft has a responsibility to address each and every flaw in its software--and should not be allowed to issue an incomplete or inaccurate patch.
Ironically, most of Internet Explorer's outstanding flaws involve its heralded "security zones." IE divides the online world into four zones: a Local zone for your intranet; a tusted sites zone containing sites you believe you can download or run files from without worry; a restricted sites zone consisting of sites you don't trust; and an Internet zone, which by default includes anything not on your computer or an intranet, or assigned to any other zone. IE adjusts its security settings--which control whether or not you download cookies or execute code from a site--depending on which zone your browser is in.
Under this cross-domain security model, when you're using Internet Explorer, most sites on the public Internet should not have access to data on your hard drive.
However, three flaws outlined in Microsoft's latest security announcement--Frames Cross Site Scripting, Cross Domain Verification via Cached Methods, and Improper Cross Domain Security Validation with Frames--allow a malicious user to bypass these security zones.
Security researcher Andreas Sanblad recently demonstrated a way to take advantage of IE's vulnerable security zones, and posted a description of his exploit on the security newsgroup Bugtraq. Sanblad's exploit, as described on ZDNet's Virus and Security Alert Forum, made it possible for a malicious user to reformat a floppy disk drive on a remote computer via Javascript. Sanbald's exploit used one of the 32 unpatched Internet Explorer vulnerabilities catalogued by security researcher Thor Larholm, the so-called "assign method caching" flaw.
The current argument among security experts is whether or not the security holes Sanblad exploited are fixed by the latest IE cumulative patch. Though Microsoft says that the three patched vulnerabilities in MS02-066 would not allow an attacker to place executable files on a remote system, GreyMagic says the Sanblad exploit provides an example of exactly that.
In addition, GreyMagic insists that Microsoft's security bulletin is incorrect in claiming that the three patched vulnerabilities would "only allow an attack to read files on the user's local system that can be rendered in a browser window, such as image files, HTML files, and text files." GreyMagic says that any type of file on the victim's computer could be read by a malicious user.
A perfect case for public disclosure
Regardless of who's right here--Microsoft or GreyMagic--this is a perfect example of why publicly disclosing software security flaws is important. While announcing vulnerabilities publicly can increase the likelihood of new malicious attacks, the fact that large software companies can't or won't fix flaws that are reported to them is a more serious problem. Sometimes, the only way to make a company respond responsibly is to make the vulnerability information public.
That's why I am critical of vendor-based organizations such as the Organization for Internet Safety (OIS), which seeks to quietly report and resolve software flaws. Instead I support independent third-party security organizations, such as Carnegie-Mellon's CERT Coordination Center, which believes in promoting the public discourse of vulnerabilities.
Of course, despite this controversy, you should still apply this latest Internet Explorer patch. As I always say: Some protection is better than none. In particular, users of Internet Explorer 5.01, 5.5, and 6.0 running under Windows 98, 98se, ME, 2000, and Windows XP should read then download the MS02-066 fix. Note that Windows 95 is no longer supported by Microsoft.
Are you satisfied with how Microsoft handles IE's security patches? TalkBack below or e-mail us.
