Microsoft complains about 'irresponsible' security revelation

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

NEWS

Microsoft has slammed the people responsible for publishing details of the vulnerability that has lead to the creation of the bofra virus.

The software giant, which has yet to release a patch for the flaw, said that the vulnerability was not reported in a responsible fashion.

In a prepared email statement from a Microsoft spokesperson, the company said: "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. "

"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

The bofra virus, which antivirus companies initially believed to be a MyDoom variant, emerged on Monday after the vulnerability it was based on was published last week on a Web chat forum.

On Friday security firm Secunia issued an advisory on the vulnerability, saying that the flaw was 'extremely critical'. Chief technology officer for the company Thomas Kristensen said that 'Ned', the individual who initially found the bug, stumbled across it when testing browsers when using a publicly available tool. The tool crashed IE, so he posted a question on an Internet forum asking others to look at why the program had failed. With some additional research from others in the community, it came to light that the IFRAME flaw was causing the crash.

"Microsoft is right that those who disclose this kind of thing are irresponsible," said Kristensen. "But in this case, it's slightly different because he [Ned] published the first part and they [the other researchers] published the second part. And he didn't do it -- it was done with a tool. If you find a crash in a browser, you might not know if it's serious or not. He might not have been able to test that."

The bofra virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.

Microsoft has yet to release a patch for the IE vulnerability, but advised users to upgrade to Windows XP SP2, which is apparently unaffected by the flaw.

Talkback

well, aint that just typical. of course MS want people to dislcose these to them first. that way they can hide it from everyone else while taking their time preparing a fix. all while nobody knows any better.

they want it to work in a way where they release fixes before the problems are made public so it will look like they are the ones putting in all the hard work securing their software when in fact it is others.

it's better for everyone if it's made public first, that way MS have to get their a$$es into gear and prepare a fix quickly!!

via Facebook 10 November, 2004 13:12
Reply

Microsoft are even more irresponsible for releasing buggy security risk software and charging users a fortune for. Its funny they always chastise everyone except themselves.

via Facebook 10 November, 2004 14:52
Reply

It is all very well for Microsoft to want to wait until they have a fix for a flaw before making it public. However, if one person has found the flaw and comes forward to report it to Microsoft, who is to say that somebody less scrupulous hasn't also already discovered it and is planning to exploit it before MS can get a patch out.

I don't care if MS has a patch ready when a weakness is found, I would rather have that information available so that I can protect myself and my customers in the best way possible until a patch *is* released.

Why are Microsoft so willing to put their customers machines and networks at risk for the sake of appearing to be able to respond to threats faster?

If aircraft have a potential problems, then they are grounded or put on restriction until a solution is found.

Everybody knows Microsoft have security problems with their software, and that they are working on improving the situation. Fine. But withholding information (lying by omission) isn't going to help their reputation.

And statements like this don't help inspire confidence in their products. If this one exploit has been discovered and released in a manner that Microsoft don't like, just how many more exploits and security holes are their, that somebody knows about and MS are "dealing" with? 0? 1? a hundred? thousands?

It isn't a comforting thought that you are putting your businesses IT in the hands of a company you can't trust!

via Facebook 10 November, 2004 15:27
Reply

How many flaws does MS find by them selves in their own software.
None I suppose.
And I suppose they are not searching either.

However, there are no reasons to use IE at all.
And there are less and less reasons to use Windows.

via Facebook 10 November, 2004 16:41
Reply

the fix is called FIREFOX

via Facebook 10 November, 2004 20:24
Reply

The "iresponsible" action is that Mircrosoft continues to dump bug ridden poor software with countless security flaws on the world market, and it charges us for the privelage.

via Facebook 10 November, 2004 20:28
Reply

A web page called moviepass.tv is offering a three day free trial to see their product, which I did and found it not to my liking. I failed to read the small print saying that if I did not advise before the trial days are over I am under legal obligation to pay for a years subscription. Now I am unable to work on the net withour constant pop ups saying I have to pay-
Is this legal?
To whom should I direct an official complaint?

via Facebook 20 April, 2006 00:47
Reply

To Anonymous regarding Moviepass: You can complain to Moviepass although I can assure you their customer service agents will refuse to co-operate but much better is to complain to the Federal Trade Commission. Tens, if not hundreds, of thousands of people have been affected by Moviepass installing itself without knowledge or consent on users computers. The more people report this to the FTC the more likely they are to act quickly against Moviepass. If you go to this webpage... http://profend.com/answers/moviepass you'll see a very obvious link to the FTC but also if you go to the Further Info page there's other organisations you can contact, there's the contact info for Moviepass and other stuff about Moviepass as well.

via Facebook 25 April, 2006 03:16
Reply

i'm really getting fed up with moviepass. the time that they say i signed up for the 3 day pass, there was absolutely no-one at home. i want it stopped

via Facebook 30 April, 2006 00:11
Reply

Go to the website mentioned in earlier post it has all instructions for removing moviepass.

http://www.profend.com/answers/moviepass.html

via Facebook 3 May, 2006 02:03
Reply

I have problems with moviepass.tv i have no
way of paying this people i never even appled
but they keep sending messages i'm looking for away get them of my computer and my
back please help.
I'm low income and i don't have a credit card
or checks and i can not pay by phone
these people do not leave anyone away to cntact them to let them know that can't pay them what they ask of me.

via Facebook 17 May, 2006 18:22
Reply

i have been informed that my 3day free trial has expired,as i did not ask for this i dont see how it has expired. now i cant get on my pc. without moviepass.tv keep coming up. how can i get rid of it,or get even?

via Facebook 23 May, 2006 21:45
Reply

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

dede0202

Hello ALL USERS OF THE PIRATE BAY I WOULD PUT AN EXPLANATION ON PIRACY Story Idea ILLIGALE AND SHARING THOSE THAT NET Dissent NOT WELL BUT TO CA...

1 hour ago by dede0202 on The Pirate Bay infringes copyright, High Court decides
Sungwoo

do You know that? it can install 4G Ram. So i buy 4g and install It work! I can run call of duty 4,6,7 [Modern war... 1,2,3] Call of duty 1 was...

2 hours ago by Sungwoo on Loose Ends - Upgrading the Aspire One 522
itsajob

2. Bad idea. Making up patch cables loses you your commission from the cable supplier. 3. If you tidy up, other people can understand where the...

8 hours ago by itsajob on Ten IT jobs to save up for those rare lulls
Roberto_Store

Now On Sale, Unlocked iPhone 4S / Galaxy Note In Factory Box. Roberto-Techie(UK) ”Now on Sales” Smartphone, Android,Tablets,Gadget &...

12 hours ago by Roberto_Store on Samsung Galaxy S III lined up for sale
Paul Smyth

Is this classic FUD? One thing I would definitely have notice is a Mozilla threat to stop supporting GNU/Linux.

13 hours ago by Paul Smyth via Facebook on Firefox rapid release improves Fedora Linux
UnderINK

I agree with the previous commenter wholeheartedly. I couldn't say it better myself. This is very 'Big Brother'. And while I agree with protecting...

18 hours ago by UnderINK on European e-identity plan to be unveiled this month
Simon Bisson and Mary Branscombe

Nice to see that Turing's idea of a general purpose computer doing once-hardware-powered tasks in software is now universal ;-) Mary

23 hours ago by Simon Bisson and Mary Branscombe on Software with everything
Jason Burchell

seriously now. I've only bothered to read a small bit of the comments. do me and the rest of the world a favour. stop saying it does not work or...

1 day ago by Jason Burchell via Facebook on Music industry negotiating over 24-bit downloads
Philip Charles Cohen

Read about it and weep, John Donahoe ... In addition to Visa’s V.me, there is now MasterCard’s PayPass digital wallet soon to arrive; another...

1 day ago by Philip Charles Cohen via Facebook on PayPal takes phone-based payments to the high street
apexwm

Leslie Satenstein : Where have you ever seen Mozilla even mention this? Firefox is the most popular browser in the GNU/Linux OS, so I don't see...

1 day ago by apexwm on Firefox rapid release improves Fedora Linux
songmaster

SHleG: Do you remember building a clockwork scorpion kit (I'm pretty sure I have a photo of it somewhere) — I think it was called something like...

1 day ago by songmaster on Software with everything
Chris Wortman

Good I love Yahoo! Their search engine is getting better than Google as of late. I find more of what I want on the first page, and usually within...

1 day ago by Chris Wortman via Facebook on Linux Mint 13 ramps up for KDE release
PatrickG

openhgs has made the point for Windows 8 multiple monitors without realising it! With Windows 7 you have to switch the mouse and so your focus...

1 day ago by PatrickG on Windows 8 could speed multi-monitor uptake
Leslie Satenstein

Mozilla has threatened to stop supporting Linux. I guess that UBUNTU is going with another browser. I indicated that if Mozilla stops supporting...

2 days ago by Leslie Satenstein via Facebook on Firefox rapid release improves Fedora Linux
Andy Bolstridge

Much as I abhor Microsoft's licensing practices, this is almost certainly down to purchasing IT equipment via 3rd party consultants - you get the...

2 days ago by Andy Bolstridge via Facebook on 6 million wasted licences and £1,200 PCs: welcome to government IT
Jack Schofield

@openhgs Windows users have had multiple desktops since Linus started writing Linux. They just haven't shipped as standard because not enough...

2 days ago by Jack Schofield on Windows 8 could speed multi-monitor uptake
Jack Schofield

@Phil at Cloud4 What, Microsoft gets £1,200 per PC and £1,622 per server? Gosh, I'm amazed....

2 days ago by Jack Schofield on 6 million wasted licences and £1,200 PCs: welcome to government IT
craigsc

You guys have no idea what is going on at Autonomy. Autonomy could have been a much more profitable organization. The sales operations at Autonomy...

2 days ago by craigsc on HP cuts 27,000 staff as Autonomy chief Lynch leaves
Moley

How does this impact on dual or multi booting? Seems to me to more or less prohibit this, from Windows 8 anyway. Will Grub 2 recognise Windows 8,...

2 days ago by Moley on Windows 8 start-up speed forces USB boot workaround
apexwm

I don't understand why there cannot be a slight pause during the boot process so the user can press a key. Many operating systems do this, even if...

2 days ago by apexwm on Windows 8 start-up speed forces USB boot workaround