In Microsoft's original warning on the IE flaw, the company noted that a potential hacker exploit had been made possible by an error in how Internet Explorer 5.5 and 6 handle "Web objects." Using the exploit, hackers could eventually read any files on a victim's computer and launch certain programs on the machine. The hacker, however, would not be able to place programs on the invaded computer or change or delete files, the original posting said. But Larholm's messages to the Bugtraq forum questioned Microsoft's conclusions on how much damage a hacker could do, which lead to the company's additional tests. "It seems like Microsoft has been able to reproduce an exploitable scenario, even before I got a chance to make my demonstration for them," Larholm said on Friday. "I am thrilled to see that the bulletin has been revised, but would have expected it to be truthful from the beginning without the need for public scrutiny." Microsoft emphasised that the change in rating would not impact consumers or businesses that had already applied a fix for the security bug. "The patches are unchanged," Microsoft said in a statement. "Customers who have already applied (the patch) are protected against this and past vulnerabilities. Our goal is to provide our customers with the most prescriptive, accurate and timely security information possible." The patch is cumulative for other security bugs and can be applied to Internet Explorer 5.5 with Service Pack 2 installed, and to IE 6.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
