Microsoft: that isn't one flaw - it's two separate flaws

Microsoft: that isn't one security flaw - it's two separate flaws
Written by Munir Kotadia, Contributor
commentary Microsoft was a little unhappy with an article I wrote this week because it contained a slight factual error. The error arose from two separate companies finding an almost identical security hole in Windows XP SP2 and Internet Explorer (IE), which I mistakenly assumed was the same vulnerability.

In my article I said it was a single problem, but Microsoft was kind enough to explain that they are actually two separate security-related issues that have nothing to do with each other.

On 15 November, security company Finjan sent out a security advisory warning that it had found ten flaws in Windows XP SP2. One of the problems described a situation where a user's system could become infected with malware by simply visiting a Web site using IE.

The company said that hackers could bypass IE's notification mechanism about the downloading and execution of .exe files, which means executable files could be stored on the victim's computer without any warning.

Little more than a week later, French Web site K-otik published source code that proved it was possible to create a custom "Error 404" message to disguise an executable file as 'safe' HTML code. This would result in a malicious Web site being able to upload a file to a user's computer's start-up folder by simply making them click on a dialogue box.

The vulnerability that K-otik described means that, while surfing with IE, within two clicks your computer could save a malicious file on your hard drive that could execute the next time the system is restarted.

The mistake I made was to assume that both of these advisories were describing a common problem. I asked Microsoft if they were related but they never gave me a direct answer -- but were keen to point out that "early investigations reveal the reports to be misleading".

Additionally, Microsoft said K-otik's code did not exploit a security hole in its software but instead demonstrated how social engineering can be used to fool a user into downloading and, eventually, executing that file.

This was not dissimilar to the company's response when Finjan issued its advisory.

At the time, Microsoft said: "Our early analysis indicates that Finjan's claims are potentially misleading and possibly erroneous regarding the breadth and severity of the alleged vulnerabilities in Windows XP SP2".

On both these occasions Microsoft's initial response has been to try and play down the seriousness of the problem and encourage its customers to apply patches and spend more money on additional security products.

Neil Campbell, the national security manager of IT services company Dimension Data, last month said that he is never surprised when software developers play down the risks while security researchers play them up.

"One of the ways to gain credibility as a security researcher is by identifying vulnerabilities. It is in the researcher's best interests to talk potential problems up. The vendors naturally have to talk the problem down and somewhere in-between there is the truth," said Campbell.

Campbell said a good way of deciding on the actual severity of a vulnerability is to look at the number of people being affected and the impact it is having.

"If you can't identify any victims then you would tend to believe the vendors. But if you know that five million computers have been attacked you would tend to believe the security researchers," said Campbell.

Vincent Gullotto, vice president of AVERT, McAfee's antivirus response labs said that the biggest problem facing both home and corporate users over the next year will be spyware and adware.

"Adware and spyware have taken up the majority of my team's time and a majority of our customer's time. You don't always hear about it because corporates don't like to tell and you don't hear so much from consumers because they don't get a chance to tell," said Gullotto.

Various security companies have estimated that between 40 and 90 percent of all corporate desktops contain some kind of spyware.

Spyware and adware programs are usually mistakenly installed on a computer and are used by a third parties to collect data about the user. This information helps create targeted adverts, or provides invaluable usage data for product development and marketing teams. However, similar pieces of software are also used by criminals to commit ID theft and fraud.

There is obviously a problem out there and it seems to affect a lot more that five million computers. So following Campbell's logic, this means the security researchers are right.

If you have a brand new Windows XP machine with SP2, we now know that it only takes a couple of naive clicks for your system to be infected with some kind of malware.

The situation is much worse if you haven't yet updated to Windows XP SP2 or you are one of the 40 percent of users (a figure quoted by Steve Vamos, managing director of Microsoft Australia) that is using a Windows platform older than XP.

Network administrators and IT managers have a lot on their plate and yet Microsoft - along with so many other successful software developers - is behaving like a huge PR machine instead of an innovative software development company.

There is obviously a huge malware problem out there and companies in the position of Microsoft should stop simply being seen to do something and instead actually do something.

I'm very pleased that Microsoft's PR company made contact to correct my error because ZDNet Australia   readers that mistakenly thought there was only one potentially serious security flaw in Windows XP SP2 and IE now know there are at least two.

Editorial standards