Microsoft has said it will take "appropriate action" to fix a problem in
Internet Explorer and Windows XP SP2 that allows a malicious Web site to
bypass the browser's warnings when downloading potentially harmful content.
The problem was first reported to Microsoft on Nov. 15 by security company
Finjan. At the time, Microsoft said Finjan's security advisory was
"misleading and possibly erroneous". On Monday, French Web site K-otik
published exploit codes that could take advantage of the same vulnerability.
On Tuesday, a Microsoft spokesperson said that the company still believes
the claims are misleading because "significant user interaction and user
interface steps have to occur before any malicious code can be executed."
However, the software giant did admit that it was possible to bypass the
security warnings in IE--even when using Windows XP with Service Pack 2.
"Microsoft is investigating this method of bypassing the Internet Explorer
download warning and will take appropriate action to cover this scenario in
order for customers to be properly advised that executables downloaded from
the Internet can be malicious in nature," the spokesperson said.
The spokesperson acknowledged that if the file was saved in the start-up
folder, it would automatically run the next time the user restarted their
computer.
"The user must go to the folder containing that executable and choose to run
it, or log off and log back onto the computer if the attacker attempted to
save the malicious executable into the user's Windows Startup folder," the
spokesperson said.
However, the spokesperson said the problem was not a security vulnerability
but actually a clever use of social engineering.
"It is important to note that this is not the exploitation of a security
vulnerability, but an attempt by an attacker to use social engineering to
convince a user to save an executable file on the hard drive without first
receiving the Internet Explorer download warning," the spokesperson said.
Security experts disagree with Microsoft on this point.
Sean Richmond, senior technology consultant at antivirus firm Sophos
Australia, agreed that the exploit would require some user interaction but
said this was definitely bypassing a security feature in IE and SP2.
"This is certainly something that is bypassing some of the security features
that are meant to be there. It is a way of bypassing the dialogues in IE. It
will result in the (malicious) file being saved on the user's computer,"
said Richmond, who added that the matter would be worse if that file could
be saved in a computer's start-up folder.
Richard Starnes, an information security professional with around 20 years
experience in information security, incident response, computer crime
investigation and cyber terrorism, said that legislation could be used to
force Microsoft--and other software developers--to improve their code and
take financial responsibility for their customers' losses.
"I wonder how solid Microsoft's coding would become if strategic governments
around the world removed the liability shield that software manufactures now
currently enjoy. They would then have some real financial incentive to get
it right the first time, instead of this Computer Science 101 coding they
are continually churning out," said Starnes.
Starnes believes the quality of software development has fallen in the past
two decades.
"Most commercial releases of software today wouldn't have made it out of
beta 20 years ago," he added.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment