The company said it did not know why people were particularly keen to publicly expose holes in IE before informing Microsoft. The researchers announce their findings online, sometimes anonymously, and their activities hover somewhere between the publicly documented work of the professional security companies, and the hacking community.
"This is a new researcher and I don't know what his reasons are," Thomas Kristensen, CTO of Secunia. "But it's available out there on exploit. He's got a sample of how it's done. With this vulnerability it's necessary to prove how it works. But this tends to be the trend with IE vulnerabilities. The researchers build the exploit before the fix can be released. Why that is, I don't know."
Kristensen said Secunia was talking to Microsoft to help the company fix the problem.
"We have talked to Microsoft. They are working on the case. They need some time to look at this, but we won't disclose details of how they are working on the patch."
Earlier this week, Microsoft lashed out at researchers for failing to act responsibly by not disclosing vulnerability details to it first.
Three vulnerabilities were discovered in IE 6.0, which Secunia published advisories about after it found them posted on a Web site by a researcher called 'cyber flash'. Kristensen said it was the company's policy not to reveal vulnerability details until a fix had been provided -- unless they were already in the wild.
Earlier this month, the software giant chastised another group of researchers for publishing details of an IE buffer overflow vulnerability on the Web before it had a chance to fix the problem.
Talkback
Hi,
My handle is 'Cyber Flash' (aka Vengy)
The main reason I pointed out these IE weaknesses is that once someone touts a product as very secure or not capable of being exploited, I find it an intellectual challenge to disprove those beliefs.
Example, Macromedia Flash was very proud of their security until I gave them swf/lfm-926.
Plus Eye security discovered even more severe buffer overflows.
As far as posting these methods - I've had situations recently whereby I'd spend months cracking some security codes, report the bug, and the company quietly fixes it and dismisses the effort required in finding and reporting the bug.
I have no ill against M$. I actually like and use M$ software everyday - It was simply a dream of mine to find a bug in IE. I spent last week seriously looking for one and happened to stumble upon the execCommand.
As far as disclosure, I deemed this new IE glitch as not a zero-day exploit since it requires user interaction to propagate. If this were a CodeRed type quirk, I'd definitely alert M$ first.
My goal was to demonstrate that even a God-Like software company like M$ can be humbled by very simple exploits such as a few well placed characters.
Example:
This code bypasses IE security:
<iframe src="virus.exe?.htm"
where as
<iframe src="virus.exe"
does not. Existance of such mundane glitches indicates to me that software in general isn't very secure. Where there's one bug, most likely another is lurking closeby.
My next adventure is to find a bug in the FireFox web browser. They're getting a little to cocky at the moment. ;)
For all you script kiddes out there, don't be afraid of powerful software, launch your code disassemblers, debuggers and have some fun.
Over and out.
(-_-)
P.S. I'm sure elite security researchers/hackers already have numerous exploits to infiltrate our PC's without us even being aware - cool but scary too!
Surely if Microsoft don't have a patch available for an exploit, then it is even more important for users to be aware of it and be on their guard.
Burying their users heads in the sand until they have a fix does not make for a more secure product!
I've worked as a developer, consutant and project manager for over 15 years. In that time, I've always found the best way to maintain a good relationship with my customers is to keep them informed about what is going on.
I've joined projects where the levels of trust and co-operation between the client and ourselves have been at a low, while problems have been covered up or blame shifted to "user error". By being honest "we have a problem, this is what it is and this is what we are doing to fix it," with possibly a "in the meantime, use this method to work around it," I've found the levels of trust and co-operation and even friendship have risen significantly.
Microsoft have hidden behind their walls too long and are loosing touch with the common users needs and requirements. Having a policy of "nothing to see here, move along," which gets ridiculed in the press every couple of days isn't a good place to start building a relationship of trust.
The problem is, Microsoft has got so good at covering up the truth and issuing spin, that nobody believes them anymore, and more to the point less and less people trust them and their products.
Before taking on Open Source and other groups they can put negative spin on, they need to stand up to their biggest enemies, their own marketing and PR.
Their constant hiding the truth, obvious re-alignment of facts in their favour, spreading FUD on other companies and groups just make them ridiculed in professional circles.
I believe they have become so used to getting their own way that they don't see that their policies are now alienating their customer base and is starting to bite them in the ass.
I use a mixture of MS and open source software in my job, and I find I use Linux more and more. Not because I have caught Linux-fever or I am anti-Microsoft (although the amount of stupid comments and double talk coming out of Redmond in recent months is making it hard to stay objective). but because I find it comfortable to work with and I feel more secure, configuration is more transparent, I feel more in control. Windows makes you feel like you are using a product that has been dumbed down to the point where important information on the running of the machine is obfuscated.
Microsoft saying their product is more secure because I can't examine the code for bugs and security holes, and compile it myself. If something plays up in Linux, I can watch the process and if it looks suspicious, I can re-compile the source and walk through it in a debugger, I can examine the code for bugs. I haven't felt the need yet, but it is re-assuring.
Nowadays, even when on my Windows machines, I wouldn't wander the web with IE, I just don't trust it.
I think it is too strange and intresting.
But I don't read it. Sorry!!!
My name is Alex, I from RUSSIA.
write me to my Email adress : korobka@tvcom.ru
I'll be wayting your massage, but PLEASE
write SOON!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Alex.