Microsoft: IE hole worse than reported

Microsoft on Friday raised its threat rating for a security flaw in its Internet Explorer browser to "critical," in response to criticism of its initial assessment of the hole's danger.

A representative of Microsoft, which has come under fire for its security policies, said the company had changed its original rating of a flaw in IE versions 5.5 and 6 as a result of comments posted to the Bugtraq online bulletin board by a security consultant.

As previously reported by CNET News.com, Thor Larholm, a vulnerability researcher with security consultancy Pivx Solutions questioned Microsoft's "moderate" rating--issued Wednesday--in a Buqtraq forum posting.

"Microsoft has given this vulnerability a maximum severity rating of moderate," Larholm wrote. "Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft."

Larholm characterized the initial rating as an attempt to downplay the second major Internet security bug found in a Microsoft product in about two weeks. The first security hole exposed millions of Web servers and PCs to potential hacking. That flaw likely affected the more than 4 million Web sites using Microsoft's Internet Information Server software.

"It seems like Microsoft is deliberately downplaying the severity of the vulnerabilities in an attempt to gain less bad press. It sure would look bad to release two critical cumulative updates in just two weeks, but that is exactly what has been done," Larholm wrote.

But Microsoft said Friday that it had simply missed an important detail when making its initial assessment of the flaw. By causing the company to do additional testing, Larholm's postings alerted Microsoft to the error.

"Information posted to NTbugTraq...prompted an investigation that uncovered a previously unknown exploit scenario," Microsoft said in a statement Friday. "The newly discovered exploit scenario...could allow a malicious user to run code on a user's computer via a specially crafted Web site or e-mail message--thus warranting a severity rating of critical."

A Microsoft representative confirmed during an interview that Larholm's postings contained the "information" referred to in the statement.

A perceived lack of security in Microsoft's products and in the computing industry as a whole prompted Bill Gates to deliver a widely publicized mandate to employees earlier this year, insisting that the issue become the company's first priority. Microsoft has also been at the center of a debate between software companies and security consultants about how and when vulnerabilities in products should be made public. And the company's rating of flaws in its products could become an even greater issue as enterprises try to make sense out of recent changes Microsoft has made to its ratings system.

In November, the Redmond, Wash.-based computing titan altered its security-alert system, adding a fourth rating among other changes. The new system inserts a rating of "important" between "critical" and "moderate." The fourth designation is "low." Under the new mechanism, then, a "moderate" alert, like the one originally given to the IE flaw, is less severe than it would have been a month ago.

A bigger bug than bargained for
In Microsoft's original warning on the IE flaw, the company noted that a potential hacker exploit had been made possible by an error in how Internet Explorer 5.5 and 6 handle "Web objects." Using the exploit, hackers could eventually read any files on a victim's computer and launch certain programs on the machine. The hacker, however, would not be able to place programs on the invaded computer or change or delete files, the original posting said. But Larholm's messages to the Bugtraq forum questioned Microsoft's conclusions on how much damage a hacker could do, which lead to the company's additional tests.

"It seems like Microsoft has been able to reproduce an exploitable scenario, even before I got a chance to make my demonstration for them," Larholm said on Friday. "I am thrilled to see that the bulletin has been revised, but would have expected it to be truthful from the beginning without the need for public scrutiny."

Microsoft emphasized that the change in rating would not impact consumers or businesses that had already applied a fix for the security bug.

"The patches are unchanged," Microsoft said in a statement. "Customers who have already applied (the patch) are protected against this and past vulnerabilities. Our goal is to provide our customers with the most prescriptive, accurate and timely security information possible."

The patch is cumulative for other security bugs and can be applied to Internet Explorer 5.5 with Service Pack 2 installed, and to IE 6.