But some security experts took issue with Microsoft rating the Web objects bug as only a moderate threat. In a posting on the Bugtraq forum, Thor Larholm, a vulnerability researcher with security consultancy Pivx Solutions lambasted Microsoft's moderate rating. "Microsoft has given this vulnerability a maximum severity rating of 'moderate,'" he wrote. "Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft." In November, Microsoft made changes to its security-alert system, including the addition of a fourth rating. The new rating system added "important" between "critical" and "moderate." The fourth designation is "low." So under the new mechanism, a moderate alert is much less severe than it was a month ago. In the Outlook flaw, a hacker could send a "specially malformed e-mail" that would cause the "Outlook client to fail under certain circumstances," the bulletin stated. "The Outlook 2002 client would continue to fail so long as the specially malformed e-mail message remained on the e-mail server." The Outlook client would remain usable until the hacker e-mail was removed from the server, either by an administrator or by the user accessing the account with another e-mail client. The exploit affects e-mail delivered using POP, IMAP or WebDAV protocols. Microsoft has provided a patch for this exploit, which requires that Office XP Service Pack 2 be installed first. Wednesday's alerts bring the total to nearly 70 for the year, despite Microsoft's new emphasis on making software more secure. In January, Microsoft Chairman Bill Gates called on the company to make security a top priority, even more than adding new features to products. But the software giant has struggled to stomp out the bugs, some of which are recently discovered but have been around for years. Besides the aforementioned November alerts, in mid-October, the company issued three security bulletins, some with multiple exploits. Earlier in the month, Microsoft stomped out an Outlook Express 6 bug that could have allowed a hacker to take complete control over an exposed computer.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
