ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Microsoft complains about 'irresponsible' security revelation

Dan Ilet ZDNet.co.uk

Published: 10 Nov 2004 12:28 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft has slammed the people responsible for publishing details of the vulnerability that has lead to the creation of the bofra virus.

The software giant, which has yet to release a patch for the flaw, said that the vulnerability was not reported in a responsible fashion.

In a prepared email statement from a Microsoft spokesperson, the company said: "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. "

"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."

The bofra virus, which antivirus companies initially believed to be a MyDoom variant, emerged on Monday after the vulnerability it was based on was published last week on a Web chat forum.

On Friday security firm Secunia issued an advisory on the vulnerability, saying that the flaw was 'extremely critical'. Chief technology officer for the company Thomas Kristensen said that 'Ned', the individual who initially found the bug, stumbled across it when testing browsers when using a publicly available tool. The tool crashed IE, so he posted a question on an Internet forum asking others to look at why the program had failed. With some additional research from others in the community, it came to light that the IFRAME flaw was causing the crash.

"Microsoft is right that those who disclose this kind of thing are irresponsible," said Kristensen. "But in this case, it's slightly different because he [Ned] published the first part and they [the other researchers] published the second part. And he didn't do it -- it was done with a tool. If you find a crash in a browser, you might not know if it's serious or not. He might not have been able to test that."

The bofra virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.

Microsoft has yet to release a patch for the IE vulnerability, but advised users to upgrade to Windows XP SP2, which is apparently unaffected by the flaw.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
88 out of 190 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

12 comments

  1. well, aint that just typical. of course MS want pe... michael
  2. It is all very well for Microsoft to want to... David Wright
  3. How many flaws does MS find by them selv... Anonymous
  4. Microsoft are even more irresponsible for releasin... Anonymous
  5. the fix is called FIREFOX MURT
  6. The "iresponsible" action is that Mircrosoft conti... Stuart Bailey
  7. A web page called moviepass.tv is offering a three... Anonymous
  8. To Anonymous regarding Moviepass: You can co... Trevor
  9. i'm really getting fed up with moviepass. the... oneal kirby
  10. Go to the website mentioned in earlier p... Dave S
  11. i have been informed that my 3day free trial... sidney baines
  12. I have problems with moviepass.tv i have no way of... George A Butler

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

INFORMATION SECURITY OFFICER

Technology Risk Analyst, IT Security, CISM, CISSP, CISA, SSCP, London

Information Security Officer

Sentry Posts Blog

The Technological Singularity

Are we approaching a point when machines may wake up and become self or seemingly self aware? Vernor Vinge in 1993 seemed to think so. He refered to this event as the "technological... More

2 comments

Mobile Operating Systems: MOPS At a Gl...

Mobile Operating Systems: At a Glance Author: Eric Everson, Founder MyMobiSafe Since posting my blog exposing the security Google G1 security issue, I have received a few emails... More

Post a comment

Met Police catch test cheats

I saw the funny side of this press release, I can just imagine the two people sitting in the car giving the answers to the questions. Why they had wires running from under the bonnet... More

Post a comment

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers