BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh

 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Commonwealth Games 2002

BBC Sport

BBC Weather

Wednesday, 19 December, 2001, 11:25 GMT
Microsoft closes browser holes
The security of Microsoft's net browser has suffered a serious blow
Microsoft has issued a patch for "critical" security holes in its popular Internet Explorer browser.

The software giant said that people should apply the patch "immediately" to protect themselves against malicious hackers.

Consumers who do not apply the patch leave themselves vulnerable to cleverly crafted attacks that disguise potentially pernicious programs as harmless alternatives.

The vulnerabilities exist in versions 5.5 and 6.0 of Microsoft's Internet Explorer.

Finnish finder

The patch closes three security loopholes in Internet Explorer. The most serious security hole was discovered by Jouko Pynnonen, of Finnish security firm Oy Online Solutions.

The problem revolves around the way that Internet Explorer handles the streams of webpage data sent to it as someone moves around the net. All webpages are defined using the Hypertext Markup Language (HTML).

Without publication, the security community can't learn from each other's mistakes

Bruce Schneier, security expert

Mr Pynnonen found that Microsoft's browser could be made to think that the HTML code it was receiving was a benign text file when in fact it was a potentially malicious program.

A computer criminal or malicious hacker that wanted to exploit this vulnerability could write a webpage that, as soon as it was visited, would run a program on the visiting computer.

The other vulnerabilities closed by the latest patch fix a weakness that would let a remote user look at the files on someone else's computer, and another that could make downloaded files look like something they were not.

Disclosure clash

Although Microsoft has moved quickly to close the latest loopholes, it has faced criticism in recent weeks for a change in the way it handles information about the security failings of its products.

In October, Scott Culp, manager of Microsoft's security centre, called on the technology community to stop the wide distribution of information about security vulnerabilities in Microsoft products.

Mr Culp feared that wide disclosure of vulnerabilities would aid malicious hackers seeking to exploit the security holes, as much as it would aid those Microsoft customers trying to protect themselves against attack.

Instead, Mr Culp argued for restraint to allow Microsoft time to craft patches for security holes and to limit the information available to malicious hackers.

Pros and cons

However, security experts have criticised Mr Culp for adopting this strategy, saying that if software company did a better job of writing programs the vulnerabilities would not be discovered so often, nor be so serious.

In an analysis of the advantages and disadvantages of spreading information about security holes, respected security analyst Bruce Schneier found that "full disclosure helps much more than it hurts" largely because it means that everyone gets the information about it at the same time and can do something about it.

He said the public pressure that full disclosure placed on companies meant they tended to work harder to solve problems quickly and ensured software could not be compromised even before it was released.

"Without publication, the security community can't learn from each other's mistakes," wrote Mr Schneier in his analysis.

See also:

18 May 00 | Sci/Tech
When paper clips attack
17 May 00 | Sci/Tech
Hackers get backdoor access
21 Sep 01 | Sci/Tech
Tackling terror with technology
09 May 01 | Sci/Tech
CD software gets a fix
Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories