Microsoft again ups risk rating on an IE flaw

For the second time this month Microsoft Corp. will raise the risk rating on a flaw affecting Internet Explorer (IE) after experts told the company it underrated the issue.

The cumulative patch announced on Nov. 20 in Microsoft's security bulletin MS02-066 for the IE Web browser will now be rated "critical," up from "important," Steve Lipner, director of security assurance at Microsoft, said in a statement sent via e-mail on Friday.

Microsoft initially thought a buffer overrun that results when PNG (Portable Network Graphics) files are opened could only be exploited to cause IE, Microsoft Office applications or the Microsoft Index Server to fail. Now Microsoft warns that successful exploitation of the flaw could allow an attacker to gain control over a user's machine.

Security vendor eEye Digital Security Inc. of Aliso Viejo, California, the discoverers of the PNG vulnerability, earlier this week said the flaw should get the highest risk rating as it allowed an attacker to run code on a victim's PC. As a result, Microsoft is raising the severity rating of bulletin MS02-066, although it has not yet been able to verify the exploit, Lipner said.

Buffer overrun flaws generally allow an attacker to take over a user's machine. An attacker exploits an unchecked buffer in a program to load his own code onto a system and run it.

This is the second time this month that Microsoft has been forced to increase the severity rating on a security vulnerability affecting IE, the Web browser used by millions worldwide. Last week, Microsoft increased from "moderate" to "critical" the rating on a flaw in an IE security feature discovered by GreyMagic Software of Israel.

After reexamining that issue, Microsoft said it found a new exploit scenario that could allow a malicious user to run code on a user's computer via a specially crafted Web site or e-mail message, warranting a severity rating of critical, it said.

Under Microsoft's security rating system, changed last month, critical vulnerabilities are those that could be exploited to allow Internet worms to spread without user action. Vulnerabilities rated "important" are those that could expose user data or threaten system resources. The two other ratings are "moderate" and "low" and are given depending on how difficult it is to exploit a flaw.

"We are continuing to review our processes for reproducing reported vulnerabilities, and for working with external security researchers to ensure that our severity ratings are as accurate as possible," said Lipner.

The cumulative patch announced in MS02-066 provided all previously released fixes for IE 5.01, IE 5.5 and IE 6.0 and patched six other new vulnerabilities. To exploit the PNG vulnerability, an attacker would have to lure a user to a Web site hosting a deliberately malformed PNG file, Microsoft said. According to eEye, an e-mail-based attack is also possible.

The patch announced in bulletin MS02-066 does eliminate the vulnerability. Microsoft notes that users should no longer install this cumulative patch, as it has been superseded by a new one. The latest super patch for IE, which includes all previously released patches, was announced in bulletin MS02-068 on Dec. 4 and is rated critical.

"We strongly encourage customers to apply the patch for MS02-068," Lipner said.

More details on the PNG flaw can be found in Microsoft security bulletin MS02-066 at: http://www.microsoft.com/technet/security/bulletin/MS02-066.asp

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

PC World
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?