Microsoft investigates 'download warning' flaw

Microsoft has said it will take "appropriate action" to fix a problem in Internet Explorer and Windows XP SP2 that allows a malicious Web site to bypass the browser's warnings when downloading potentially harmful content.

On Monday, French Web site K-otik published exploit codes that could take advantage of the vulnerability. On Tuesday, a Microsoft representative said that the risk from the flaw is low because "significant user interaction and user interface steps have to occur before any malicious code can be executed."

However, the software giant did admit that it was possible to bypass the security warnings in IE--even when using Windows XP with Service Pack 2.

"Microsoft is investigating this method of bypassing the Internet Explorer download warning and will take appropriate action to cover this scenario in order for customers to be properly advised that executables downloaded from the Internet can be malicious in nature," the representative said.

The representative acknowledged that if the file were saved in the start-up folder, it would automatically run the next time the user restarted his computer.

"The user must go to the folder containing that executable and choose to run it, or log off and log back onto the computer if the attacker attempted to save the malicious executable into the user?s Windows start-up folder," the representative said.

However, the representative said the problem was not a security vulnerability but actually a clever use of social engineering.

"It is important to note that this is not the exploitation of a security vulnerability, but an attempt by an attacker to use social engineering to convince a user to save an executable file on the hard drive without first receiving the Internet Explorer download warning," the representative said.

Still, some security experts disagree with Microsoft on this point.

Sean Richmond, senior technology consultant at antivirus company Sophos Australia, agreed that the exploit would require some user interaction but said this was definitely bypassing a security feature in IE and SP2.

"This is certainly something that is bypassing some of the security features that are meant to be there. It is a way of bypassing the dialogs in IE. It will result in the (malicious) file being saved on the user's computer," said Richmond, who added that the matter would be worse if that file could be saved in a computer?s start-up folder.

Richard Starnes, an information security professional with around 20 years' experience in information security, incident response, computer crime investigation and cyberterrorism, said that legislation could be used to force Microsoft--and other software developers--to improve their code and take financial responsibility for their customers' losses.

"I wonder how solid Microsoft's coding would become if strategic governments around the world removed the liability shield that software manufactures now currently enjoy," Starnes said. "They would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out."

Starnes believes the quality of software development has fallen in the past two decades.

"Most commercial releases of software today wouldn't have made it out of beta 20 years ago," he added.

Munir Kotadia of ZDNet Australia reported from Sydney.

That would be nice

Forcing companies to release high quality code the first time around would be a nice change of pace, and not only at MS. The current trend of selling beta software disguised as release quality code is tiresome.

Reading this article you can tell that MS is being dragged into fixing this issue. Which is not surprising.

Like many industries before, only government interference will improve things. That is a sad statement about the 'buck at any cost' atmosphere at nearly every corporation.

addendum

"hey would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out," said Starnes."

Stop insulting computer science students. :)~

[Ubber geek]

nice change

<a class="jive-link-external" href="http://www.analogstereo.com/audi_a4_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/audi_a4_owners_manual.htm</a>

That would be nice

Forcing companies to release high quality code the first time around would be a nice change of pace, and not only at MS. The current trend of selling beta software disguised as release quality code is tiresome.

Reading this article you can tell that MS is being dragged into fixing this issue. Which is not surprising.

Like many industries before, only government interference will improve things. That is a sad statement about the 'buck at any cost' atmosphere at nearly every corporation.

addendum

"hey would then have some real financial incentive to get it right the first time, instead of this Computer Science 101 coding they are continually churning out," said Starnes."

Stop insulting computer science students. :)~

[Ubber geek]

nice change

<a class="jive-link-external" href="http://www.analogstereo.com/audi_a4_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/audi_a4_owners_manual.htm</a>

[anthonycea]

Direct link to Firefox download here!

Get a secure browser today, see the following for a direct link to the free download.

<a class="jive-link-external" href="http://searchwars.squarespace.com/free-software-downloads/" target="_newWindow">http://searchwars.squarespace.com/free-software-downloads/</a>

You can also find links to AV, anti-spyware/malware downloads, all free, all the best protection available.

firefox blows

I downloaded that peice of crap app and I must say it blows. It does have some nice features "built-in" but I can get all the same protection and features with addons for IE. Oh ya, their latest installer ****** one of my systems royally. Thanks for such a good product - not.

[anthonycea]

Direct link to Firefox download here!

Get a secure browser today, see the following for a direct link to the free download.

<a class="jive-link-external" href="http://searchwars.squarespace.com/free-software-downloads/" target="_newWindow">http://searchwars.squarespace.com/free-software-downloads/</a>

You can also find links to AV, anti-spyware/malware downloads, all free, all the best protection available.

firefox blows

I downloaded that peice of crap app and I must say it blows. It does have some nice features "built-in" but I can get all the same protection and features with addons for IE. Oh ya, their latest installer ****** one of my systems royally. Thanks for such a good product - not.