continued to investigate three recently
reported vulnerabilities in multiple versions of its Windows operating system Tuesday,
it delivered a message to security groups anxious to publicly report bad news: It does
more harm than good.
Less than a week after Chinese security group Xfocus publicly released
proof-of-concept code, claiming that among other high-risk vulnerabilities there
were flaws in the Windows LoadImage API function, Microsoft was urging security groups
to follow practiced industry standards for reporting potential breaches.
A spokeswoman for the company said Microsoft was disappointed that Xfocus
released the information before sharing it with the company and security vendors.
She also said the actions put computer users at risk.
“We believe the commonly accepted practice of reporting vulnerabilities directly
to a vendor serves everyone’s best interests, by helping to ensure that customers
receive comprehensive, high-quality updates for security vulnerabilities with no
exposure to malicious attackers while the fix is being developed,” she said.
Xfocus also reported that the Windows help file parsing program was vulnerable
to malicious attacks on systems patched with the second service pack for Windows XP.
The group also pointed to a bug in Windows’ animated cursor files.
These vulnerabilities are believed to affect Windows NT, Windows 2000 SP0, SP1,
SP2, SP3, SP4, Windows XP SP0, XP SP1 and Windows 2003.
Microsoft acknowledged the vulnerabilities but claimed it was not aware of any
active malicious attacks and said there had been no immediate customer impact.
As reported earlier on internetnews.com,
several security vendors,
including Symantec and Secunia, had confirmed Xfocus’ warning on Tuesday, and noted that
the most serious of the three flaws was found in the Windows LoadImage API function.
That vulnerability allows malicious attackers to write and send custom files within an
HTML page or in an e-mail that would allow them to run arbitrary code on a computer.
The company said it plans to take whatever appropriate action is necessary
to resolve any security issues.
“Upon completion of [our] investigation, Microsoft will take the
appropriate actions to protect customers, which may include providing a fix
through our monthly release process or an out-of-cycle security update, depending
on customer needs,” the Microsoft spokeswoman said.