[ISN] Microsoft again ups risk rating on an IE flaw

From: InfoSec News (isnat_private)
Date: Mon Dec 16 2002 - 03:20:28 PST

  • Next message: InfoSec News: "[ISN] Angry Kuwaiti hacker launches cyber attack"

    http://www.nwfusion.com/news/2002/1213ieflaw.html
    
    By Joris Evers
    IDG News Service
    12/13/02
    
    For the second time this month Microsoft will raise the risk rating on 
    a flaw affecting Internet Explorer (IE) after experts told the company 
    it underrated the issue. 
    
    The cumulative patch announced on Nov. 20 in Microsoft's security 
    bulletin MS02-066 for the IE Web browser will now be rated "critical," 
    up from "important," Steve Lipner, director of security assurance at 
    Microsoft, said in a statement sent via e-mail on Friday. 
    
    Microsoft initially thought a buffer overrun that results when PNG 
    (Portable Network Graphics) files are opened could only be exploited 
    to cause IE, Microsoft Office applications or the Microsoft Index 
    Server to fail. Now Microsoft warns that successful exploitation of 
    the flaw could allow an attacker to gain control over a user's 
    machine. 
    
    Security vendor eEye Digital Security, the discoverers of the PNG 
    vulnerability, earlier this week said the flaw should get the highest 
    risk rating as it allowed an attacker to run code on a victim's PC. As 
    a result, Microsoft is raising the severity rating of bulletin 
    MS02-066, although it has not yet been able to verify the exploit, 
    Lipner said. 
    
    Buffer overrun flaws generally allow an attacker to take over a user's 
    machine. An attacker exploits an unchecked buffer in a program to load 
    his own code onto a system and run it. 
    
    This is the second time this month that Microsoft has been forced to 
    increase the severity rating on a security vulnerability affecting IE, 
    the Web browser used by millions worldwide. Last week, Microsoft 
    increased from "moderate" to "critical" the rating on a flaw in an IE 
    security feature discovered by GreyMagic Software of Israel. 
    
    After reexamining that issue, Microsoft said it found a new exploit 
    scenario that could allow a malicious user to run code on a user's 
    computer via a specially crafted Web site or e-mail message, 
    warranting a severity rating of critical, it said. 
    
    Under Microsoft's security rating system, changed last month, critical 
    vulnerabilities are those that could be exploited to allow Internet 
    worms to spread without user action. Vulnerabilities rated "important" 
    are those that could expose user data or threaten system resources. 
    The two other ratings are "moderate" and "low" and are given depending 
    on how difficult it is to exploit a flaw. 
    
    "We are continuing to review our processes for reproducing reported 
    vulnerabilities, and for working with external security researchers to 
    ensure that our severity ratings are as accurate as possible," said 
    Lipner. 
    
    The cumulative patch announced in MS02-066 provided all previously 
    released fixes for IE 5.01, IE 5.5 and IE 6.0 and patched six other 
    new vulnerabilities. To exploit the PNG vulnerability, an attacker 
    would have to lure a user to a Web site hosting a deliberately 
    malformed PNG file, Microsoft said. According to eEye, an e-mail-based 
    attack is also possible. 
    
    The patch announced in bulletin MS02-066 does eliminate the 
    vulnerability. Microsoft notes that users should no longer install 
    this cumulative patch, as it has been superseded by a new one. The 
    latest super patch for IE, which includes all previously released 
    patches, was announced in bulletin MS02-068 on Dec. 4 and is rated 
    critical. 
    
    "We strongly encourage customers to apply the patch for MS02-068," 
    Lipner said.
    
    More details on the PNG flaw can be found in Microsoft security 
    bulletin MS02-066 here [1]
    
    [1] http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-066.asp
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:53:09 PST