In the wake of its commitment to security as a top priority, Microsoft has released a new patch to correct six flaws in its dominant Explorer Internet browser.
Earlier this week Microsoft released a patch designed to correct six new known security vulnerabilities in its Internet Explorer browser. One of the flaws, a buffer overrun weakness, is so serious, Microsoft says it could allow would-be attackers to run any program on a victim's computer.
According to the company, the patch covers three "critical" and three "moderate" vulnerabilities in the free but widely used Internet software. The weaknesses affect the three latest versions of Internet Explorer, including the version found in Windows XP. The patch is available for free at Microsoft.com.
John Finnegan, consultant at the Dublin-based e-security firm Rits, says all of the flaws can cause noticeable problems but admits that the buffer overrun flaw that can give attackers access to a PC's files could be "quite serious." Finnegan said, "In general we recommend that people try to stay on top of all of these flaws. The cumulative patch released by Microsoft actually fixes something like 15 or so flaws discovered over the past few months so users don't have to download all of the patches to keep up to date."
Along with the buffer overrun weakness, other recently discovered Internet explorer vulnerabilities could permit a malicious user to read a person's files, although the attacker would have to know exactly what the files are and where they are stored. Additionally, the weaknesses could mislead a user into opening an unsafe file or instruct a computer to run a script even if the user has disabled that function for security reasons.
Over the last few years, Microsoft products have developed reputation for weak security. Earlier this month it was discovered that users who run Microsoft's Messenger programme along with Internet Explorer face the prospect of revealing buddy names and e-mail addresses to would be attackers. Moreover that flaw could give malicious hackers the power to impersonate another user on-line. A patch for that security gap is not yet available, but is expected to be released soon. "Again we recommend people protect themselves by downloading the patch, although the (Messenger) application is not something that would be found on most business PCs," said Finnegan.
The news, more ammunition for the anti-Microsoft camp, comes just weeks after the company announced that e-security was its "top priority." That move was greeted with cautious praise in the e-security community who are not as yet convinced that the software giant can pull off the feat.
"I think it's good because it is something they needed to do. Although I am disappointed that it took so long (for Microsoft) to listen to what the community wanted," explained Sean Reynolds, managing director at Rits. Referring to the software giant's recent and highly publicised appointment of Scott Charney as its chief security strategist, Reynolds said, "That is a serious commitment." Charney is a principal for PricewaterhouseCoopers' Cybercrime Prevention and Response Practice and a former chief of the Computer Crime and Intellectual Property Section (CCIPS), Criminal Division, at the Department of Justice, from 1991 to 1999.
But Reynolds was cautious about how effective the new strategy from Microsoft will be. He explained that the company is selling products for all sectors of the market, with the same products being sold to both the consumer and business sector. Businesses in many cases have more stringent security needs and consumers demand flexibility in their software products. "Security and flexibility are sometimes at the opposite end of the spectrum," Reynolds said.
"In the short term I don't think Microsoft's new strategy will make any difference. In the medium to long term it could be successful but I think they will have to segment their products for the business community and for consumers. That will not be easy for them to do." Reynolds explained.
|