ElectricNews.net:News:Security issues bedevil Microsoft

ADS & MARKETING

APPOINTMENTS

BUSINESS

E-COMMERCE

E-GOVERNMENT

FACE TO FACE

FRIDAY IN FOCUS

HOME & GADGETS

INTERNET & TELECOMS

INVESTMENT

MARKETS

OPINION

ROUNDUPS

SECURITY

WIRELESS

CORRECTIONS

Let us know how to make ENN better!
Take our reader's survey.

Infrastructure or die
With competition in Ireland's Internet access market heating up, the focus must move to infrastructure for long-term economic success.

The following e-mail will be sent on your behalf.

has sent the following story to you from ElectricNews.net.

The story is available from https://electricnews.net/news.html?code=6118162

Security issues bedevil Microsoft
Wednesday, February 13 2002
by Matthew Clark

In the wake of its commitment to security as a top priority, Microsoft has
released a new patch to correct six flaws in its dominant Explorer Internet
browser.

Earlier this week Microsoft released a patch designed to correct six new known
security vulnerabilities in its Internet Explorer browser. One of the flaws, a
buffer overrun weakness, is so serious, Microsoft says it could allow would-be
attackers to run any program on a victim's computer.

According to the company, the patch covers three "critical" and three
"moderate" vulnerabilities in the free but widely used Internet software. The
weaknesses affect the three latest versions of Internet Explorer, including the
version found in Windows XP. The patch is available for free at HREF="http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp">Microsoft.com.

John Finnegan, consultant at the Dublin-based e-security firm Rits, says all of
the flaws can cause noticeable problems but admits that the buffer overrun flaw
that can give attackers access to a PC's files could be "quite serious."
Finnegan said, "In general we recommend that people try to stay on top of all
of these flaws. The cumulative patch released by Microsoft actually fixes
something like 15 or so flaws discovered over the past few months so users don't
have to download all of the patches to keep up to date."

Along with the buffer overrun weakness, other recently discovered Internet
explorer vulnerabilities could permit a malicious user to read a person's files,
although the attacker would have to know exactly what the files are and where
they are stored. Additionally, the weaknesses could mislead a user into
opening an unsafe file or instruct a computer to run a script even if the user
has disabled that function for security reasons.

Over the last few years, Microsoft products have developed reputation for weak
security. Earlier this month it was discovered that users who run Microsoft's
Messenger programme along with Internet Explorer face the prospect of revealing
buddy names and e-mail addresses to would be attackers. Moreover that flaw could
give malicious hackers the power to impersonate another user on-line. A patch for
that security gap is not yet available, but is expected to be released soon.
"Again we recommend people protect themselves by downloading the patch,
although the (Messenger) application is not something that would be found on most
business PCs," said Finnegan.

The news, more ammunition for the anti-Microsoft camp, comes just weeks after the
company announced that e-security was its "top priority." That move was
greeted with cautious praise in the e-security community who are not as yet
convinced that the software giant can pull off the feat.

"I think it's good because it is something they needed to do. Although I am
disappointed that it took so long (for Microsoft) to listen to what the community
wanted," explained Sean Reynolds, managing director at Rits. Referring to the
software giant's recent and highly publicised appointment of Scott Charney as its
chief security strategist, Reynolds said, "That is a serious commitment."
Charney is a principal for PricewaterhouseCoopers' Cybercrime Prevention and
Response Practice and a former chief of the Computer Crime and Intellectual
Property Section (CCIPS), Criminal Division, at the Department of Justice, from
1991 to 1999.

But Reynolds was cautious about how effective the new strategy from Microsoft
will be. He explained that the company is selling products for all sectors of the
market, with the same products being sold to both the consumer and business
sector. Businesses in many cases have more stringent security needs and consumers
demand flexibility in their software products. "Security and flexibility are
sometimes at the opposite end of the spectrum," Reynolds said.

"In the short term I don't think Microsoft's new strategy will make any
difference. In the medium to long term it could be successful but I think they
will have to segment their products for the business community and for consumers.
That will not be easy for them to do." Reynolds explained.

Read a roundup of the top tech stories with our Weekly Digest .

Search Jobs on ENN
Post your CV
Hiring? Use 'Post a Job'

UTV Internet - all Ireland flat rate internet access