Vendor Warns Of New IE Holes; Microsoft Calls Reports Irresponsible

By Mitch Wagner

A security vendor Monday claimed to have found nine new Microsoft Internet Explorer vulnerabilities, many of them critical.

If vendor GreyMagic's claims are accurate, the vulnerabilities would allow attackers to steal private local documents, steal cookies from any site, forge trusted Web sites, steal clipboard information and execute arbitrary programs. More information and demonstrations are on a page at the Web site of GreyMagic. GreyMagic issued another advisory about a Microsoft security hole last week.GreyMagic recommends disabling Active Scripting in Internet Explorer, or upgrading to Version 6 SP1, to fix the problems.

The problems involve object caching in Internet Explorer 5.5 and 6.0. Prior versions of IE and IE6 SP1 are not vulnerable. Other applications that use the Internet Explorer engine, such as the AOL client and MSN Explorer, are also affected.

Microsoft said it just learned of the vulnerabilities Monday when GreyMagic posted information on them, and immediately launched an investigation.

GreyMagic's statements launched another round in an ongoing argument between software vendors and independent security consultants over how security flaws should be disclosed.

Vendors generally want to be informed of security problems confidentially, saying users are protected when vendors are given time to patch problems before they're widely known. Consultants say that users are best protected when the users are immediately aware of risks. Each side accuses the other of bad faith-vendors accuse consultants of trying to use security flaws to drum up publicity, while consultants accuse vendors of trying to cover up problems rather than fixing them.

GreyMagic said, "Notifying Microsoft ahead of time and waiting for them to patch the reported issues proved as non-productive." The company added in an e-mail statement, "We believe that the users have a right to know about vulnerabilities in popular software and take action in protecting themselves using the suggested workarounds while Microsoft is working on a patch."

GreyMagic said Microsoft has taken three to six months to fix previously reported security holes in Internet Explorer.

"Microsoft takes quite a while to plug even the simplest security issue, leaving users exposed to risks for months at a time instead of letting them know about temporary workarounds. They also insist on releasing cumulative patches, instead of patches that address only a single issue, which slows them down even further. They claim that their 'users' prefer it that way...In our opinion, they should do both, users who prefer the cumulative patching method could stick to it, users who prefer to patch as soon as a patch is ready would use directly addressed patches."

Microsoft spokesman Rick Miller responded, "That assertion is a red herring. Unfortunately, by releasing this information publicly, users have been put at risk. If [GreyMagic] were truly interested in protecting people, they would have worked with us to develop remediation rather than deliberately arming malicious users against a largely unsuspecting public."

Miller added, "The majority of users simply cannot or do not use publicly posted information to protect them from new vulnerabilities. The most effective way to ensure the safety of the greatest number of Microsoft customers is to discuss security vulnerabilities only after users can be offered remediation. We are absolutely committed to keeping customers' information safe and we deliver comprehensive and thoroughly tested fixes to our customers in as timely a manner as possible."