ENN - Electric News.net
Free e-mail alerts & newsletter - Sign up here
Free e-mail alerts & newsletter - Sign up here
Edit your alerts
News
   CORRECTIONS
Survey
Let us know how to make ENN better!
Take our reader's survey.
Motorola Accompli 008

Post a Job

 
Students rebel against IT
Not so long ago students fought tooth and nail to get into IT courses. Now, they are shunning such studies, with massive implications for Ireland's reputation as a high-tech centre.
More here

 

::SECURITY

Security issues bedevil Microsoft
Wednesday, February 13 2002
by Matthew Clark

Send story to a friend
Print this story
In the wake of its commitment to security as a top priority, Microsoft has released a new patch to correct six flaws in its dominant Explorer Internet browser.

Earlier this week Microsoft released a patch designed to correct six new known security vulnerabilities in its Internet Explorer browser. One of the flaws, a buffer overrun weakness, is so serious, Microsoft says it could allow would-be attackers to run any program on a victim's computer.

According to the company, the patch covers three "critical" and three "moderate" vulnerabilities in the free but widely used Internet software. The weaknesses affect the three latest versions of Internet Explorer, including the version found in Windows XP. The patch is available for free at Microsoft.com.

John Finnegan, consultant at the Dublin-based e-security firm Rits, says all of the flaws can cause noticeable problems but admits that the buffer overrun flaw that can give attackers access to a PC's files could be "quite serious." Finnegan said, "In general we recommend that people try to stay on top of all of these flaws. The cumulative patch released by Microsoft actually fixes something like 15 or so flaws discovered over the past few months so users don't have to download all of the patches to keep up to date."

Along with the buffer overrun weakness, other recently discovered Internet explorer vulnerabilities could permit a malicious user to read a person's files, although the attacker would have to know exactly what the files are and where they are stored. Additionally, the weaknesses could mislead a user into opening an unsafe file or instruct a computer to run a script even if the user has disabled that function for security reasons.

Over the last few years, Microsoft products have developed reputation for weak security. Earlier this month it was discovered that users who run Microsoft's Messenger programme along with Internet Explorer face the prospect of revealing buddy names and e-mail addresses to would be attackers. Moreover that flaw could give malicious hackers the power to impersonate another user on-line. A patch for that security gap is not yet available, but is expected to be released soon. "Again we recommend people protect themselves by downloading the patch, although the (Messenger) application is not something that would be found on most business PCs," said Finnegan.

The news, more ammunition for the anti-Microsoft camp, comes just weeks after the company announced that e-security was its "top priority." That move was greeted with cautious praise in the e-security community who are not as yet convinced that the software giant can pull off the feat.

"I think it's good because it is something they needed to do. Although I am disappointed that it took so long (for Microsoft) to listen to what the community wanted," explained Sean Reynolds, managing director at Rits. Referring to the software giant's recent and highly publicised appointment of Scott Charney as its chief security strategist, Reynolds said, "That is a serious commitment." Charney is a principal for PricewaterhouseCoopers' Cybercrime Prevention and Response Practice and a former chief of the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, at the Department of Justice, from 1991 to 1999.

But Reynolds was cautious about how effective the new strategy from Microsoft will be. He explained that the company is selling products for all sectors of the market, with the same products being sold to both the consumer and business sector. Businesses in many cases have more stringent security needs and consumers demand flexibility in their software products. "Security and flexibility are sometimes at the opposite end of the spectrum," Reynolds said.

"In the short term I don't think Microsoft's new strategy will make any difference. In the medium to long term it could be successful but I think they will have to segment their products for the business community and for consumers. That will not be easy for them to do." Reynolds explained.

:: Discuss this story - Click here

:: MORE NEWS from SECURITY

Search

Jobs
The 6th Sedona Conference in Dublin

UTVIP

Aztech

Powered by The CIA

 

© Copyright ElectricNews.Net Ltd 1999-2002.