Mystery 'researchers' are revealing IE flaws

Security organisation Secunia says it can't explain why researchers are revealing vulnerabilities outside the normal reporting channels

Security company Secunia says is perplexed by the motives of 'researchers' who recently published details of Internet Explorer 6.0 vulnerabilities and exploits on the Web.

The company said it did not know why people were particularly keen to publicly expose holes in IE before informing Microsoft. The researchers announce their findings online, sometimes anonymously, and their activities hover somewhere between the publicly documented work of the professional security companies, and the hacking community.

"This is a new researcher and I don't know what his reasons are," Thomas Kristensen, CTO of Secunia. "But it's available out there on exploit. He's got a sample of how it's done. With this vulnerability it's necessary to prove how it works. But this tends to be the trend with IE vulnerabilities. The researchers build the exploit before the fix can be released. Why that is, I don't know."

Kristensen said Secunia was talking to Microsoft to help the company fix the problem.

"We have talked to Microsoft. They are working on the case. They need some time to look at this, but we won't disclose details of how they are working on the patch."

Earlier this week, Microsoft lashed out at researchers for failing to act responsibly by not disclosing vulnerability details to it first.

Three vulnerabilities were discovered in IE 6.0, which Secunia published advisories about after it found them posted on a Web site by a researcher called 'cyber flash'. Kristensen said it was the company's policy not to reveal vulnerability details until a fix had been provided -- unless they were already in the wild.

Earlier this month, the software giant chastised another group of researchers for publishing details of an IE buffer overflow vulnerability on the Web before it had a chance to fix the problem.