Microsoft has slammed the people responsible for publishing details of the vulnerability that has lead to the creation of the bofra virus.
The software giant, which has yet to release a patch for the flaw, said that the vulnerability was not reported in a responsible fashion.
In a prepared email statement from a Microsoft spokesperson, the company said: "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. "
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
The bofra virus, which antivirus companies initially believed to be a MyDoom variant, emerged on Monday after the vulnerability it was based on was published last week on a Web chat forum.
On Friday security firm Secunia issued an advisory on the vulnerability, saying that the flaw was 'extremely critical'. Chief technology officer for the company Thomas Kristensen said that 'Ned', the individual who initially found the bug, stumbled across it when testing browsers when using a publicly available tool. The tool crashed IE, so he posted a question on an Internet forum asking others to look at why the program had failed. With some additional research from others in the community, it came to light that the IFRAME flaw was causing the crash.
"Microsoft is right that those who disclose this kind of thing are irresponsible," said Kristensen. "But in this case, it's slightly different because he [Ned] published the first part and they [the other researchers] published the second part. And he didn't do it -- it was done with a tool. If you find a crash in a browser, you might not know if it's serious or not. He might not have been able to test that."
The bofra virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.
Microsoft has yet to release a patch for the IE vulnerability, but advised users to upgrade to Windows XP SP2, which is apparently unaffected by the flaw.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
that comment bot is a nutter, it just referred me to the moderator on my own blog. shocked look. please help thank you Dava I'm afriad to...
2 hours ago by dava4444 on Welcome to the new ZDNet UK community! Hi Rupert! Don't think I could fill the above shoes... but if your ever looking for a consumer rights Tech blogger..tip me the wink lol peace Dava
3 hours ago by dava4444 on Fancy working for ZDNet UK? Hi Rupert My photo is gone from my profile and I just got told i was a spammer by the comment bot. the navigation is gone for my profile. :O on...
3 hours ago by dava4444 on Welcome to the new ZDNet UK community!
With windows it is always more bloat, and a lot of that seems to be duplicated in various places. I've noticed that you will have freed space on...
9 hours ago by ator1940 on Can you believe it - 2765 kB will be freed?
Buzz My Stat : New search for http://www.zdnet.co.uk Take a look: http://www.buzzmystat.com/site/zdnet.co.uk
13 hours ago on Twitter by BuzzMyStat
Hi Jamie, I'm sorry your comment got caught in the spam filter. We use an industry standard blacklist for this. I suspect that the comment may...
18 hours ago by Karen Friar on Spam? Filter Changed?
Pop - Neither have I. Ever, under any circumstances. I'm much more accustomed to Windows slowly, but inexorably, consuming more and more disk...
19 hours ago by J.A. Watson on Can you believe it - 2765 kB will be freed?
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
1 day ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
2 days ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
2 days ago on Twitter by BVE2011 70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
2 days ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
2 days ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
2 days ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
2 days ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
2 days ago by roger andre on Microsoft lashing out at Linux, open source On further inspection, it looks like some things are missing, is it possible that there was a time lag between whatever state the site was in that...
2 days ago by J.A. Watson on Welcome to the new ZDNet UK community!
Ok. Now I'm getting annoyed. Previously I could just click on just about any item or comment I saw and get a reply box. How do I manage that...
2 days ago by Tezzer on ZDNet UK: faster, smarter, still IT all the way hey Roger. Think I have spotted a bug as when I click on my name it takes me to the same page as if I had clicked on "Edit Profile". i.e...
2 days ago by Andrew Donoghue on ZDNet UK - Now cleaner than an Archbishop's conscience
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
2 days ago on Twitter by ajclarkeFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
well, aint that just typical. of course MS want people to dislcose these to them first. that way they can hide it from everyone else while taking their time preparing a fix. all while nobody knows any better.
10 Nov 04 13:12 Replythey want it to work in a way where they release fixes before the problems are made public so it will look like they are the ones putting in all the hard work securing their software when in fact it is others.
it's better for everyone if it's made public first, that way MS have to get their a$$es into gear and prepare a fix quickly!!
Microsoft are even more irresponsible for releasing buggy security risk software and charging users a fortune for. Its funny they always chastise everyone except themselves.
10 Nov 04 14:52 ReplyIt is all very well for Microsoft to want to wait until they have a fix for a flaw before making it public. However, if one person has found the flaw and comes forward to report it to Microsoft, who is to say that somebody less scrupulous hasn't also already discovered it and is planning to exploit it before MS can get a patch out.
10 Nov 04 15:27 ReplyI don't care if MS has a patch ready when a weakness is found, I would rather have that information available so that I can protect myself and my customers in the best way possible until a patch *is* released.
Why are Microsoft so willing to put their customers machines and networks at risk for the sake of appearing to be able to respond to threats faster?
If aircraft have a potential problems, then they are grounded or put on restriction until a solution is found.
Everybody knows Microsoft have security problems with their software, and that they are working on improving the situation. Fine. But withholding information (lying by omission) isn't going to help their reputation.
And statements like this don't help inspire confidence in their products. If this one exploit has been discovered and released in a manner that Microsoft don't like, just how many more exploits and security holes are their, that somebody knows about and MS are "dealing" with? 0? 1? a hundred? thousands?
It isn't a comforting thought that you are putting your businesses IT in the hands of a company you can't trust!
How many flaws does MS find by them selves in their own software.
10 Nov 04 16:41 ReplyNone I suppose.
And I suppose they are not searching either.
However, there are no reasons to use IE at all.
And there are less and less reasons to use Windows.
the fix is called FIREFOX
10 Nov 04 20:24 ReplyThe "iresponsible" action is that Mircrosoft continues to dump bug ridden poor software with countless security flaws on the world market, and it charges us for the privelage.
10 Nov 04 20:28 ReplyA web page called moviepass.tv is offering a three day free trial to see their product, which I did and found it not to my liking. I failed to read the small print saying that if I did not advise before the trial days are over I am under legal obligation to pay for a years subscription. Now I am unable to work on the net withour constant pop ups saying I have to pay-
20 Apr 06 00:47 ReplyIs this legal?
To whom should I direct an official complaint?
To Anonymous regarding Moviepass: You can complain to Moviepass although I can assure you their customer service agents will refuse to co-operate but much better is to complain to the Federal Trade Commission. Tens, if not hundreds, of thousands of people have been affected by Moviepass installing itself without knowledge or consent on users computers. The more people report this to the FTC the more likely they are to act quickly against Moviepass. If you go to this webpage... http://profend.com/answers/moviepass you'll see a very obvious link to the FTC but also if you go to the Further Info page there's other organisations you can contact, there's the contact info for Moviepass and other stuff about Moviepass as well.
25 Apr 06 03:16 Replyi'm really getting fed up with moviepass. the time that they say i signed up for the 3 day pass, there was absolutely no-one at home. i want it stopped
30 Apr 06 00:11 ReplyGo to the website mentioned in earlier post it has all instructions for removing moviepass.
3 May 06 02:03 Replyhttp://www.profend.com/answers/moviepass.html
I have problems with moviepass.tv i have no
17 May 06 18:22 Replyway of paying this people i never even appled
but they keep sending messages i'm looking for away get them of my computer and my
back please help.
I'm low income and i don't have a credit card
or checks and i can not pay by phone
these people do not leave anyone away to cntact them to let them know that can't pay them what they ask of me.
i have been informed that my 3day free trial has expired,as i did not ask for this i dont see how it has expired. now i cant get on my pc. without moviepass.tv keep coming up. how can i get rid of it,or get even?
23 May 06 21:45 Reply