- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
For the second time this month Microsoft will raise the risk rating on a flaw affecting Internet Explorer (IE) after experts told the company it underrated the issue.
The cumulative patch announced on Nov. 20 in Microsoft's security bulletin MS02-066 for the IE Web browser will now be rated "critical," up from "important," Steve Lipner, director of security assurance at Microsoft, said in a statement sent via e-mail on Friday.
Microsoft initially thought a buffer overrun that results when PNG (Portable Network Graphics) files are opened could only be exploited to cause IE, Microsoft Office applications or the Microsoft Index Server to fail. Now Microsoft warns that successful exploitation of the flaw could allow an attacker to gain control over a user's machine.
Security vendor eEye Digital Security, the discoverers of the PNG vulnerability, earlier this week said the flaw should get the highest risk rating as it allowed an attacker to run code on a victim's PC. As a result, Microsoft is raising the severity rating of bulletin MS02-066, although it has not yet been able to verify the exploit, Lipner said.
Buffer overrun flaws generally allow an attacker to take over a user's machine. An attacker exploits an unchecked buffer in a program to load his own code onto a system and run it.
This is the second time this month that Microsoft has been forced to increase the severity rating on a security vulnerability affecting IE, the Web browser used by millions worldwide. Last week, Microsoft increased from "moderate" to "critical" the rating on a flaw in an IE security feature discovered by GreyMagic Software of Israel.
After reexamining that issue, Microsoft said it found a new exploit scenario that could allow a malicious user to run code on a user's computer via a specially crafted Web site or e-mail message, warranting a severity rating of critical, it said.
Under Microsoft's security rating system, changed last month, critical vulnerabilities are those that could be exploited to allow Internet worms to spread without user action. Vulnerabilities rated "important" are those that could expose user data or threaten system resources. The two other ratings are "moderate" and "low" and are given depending on how difficult it is to exploit a flaw.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment