Security firm Secunia posted a new advisory today warning users about a pair of vulnerabilities in a fully patched version of Microsoft’s Windows XP running Service Pack 2 (SP2).
But Microsoft , for its part, criticized the alert, saying the vulnerability was not properly disclosed through the appropriate channels.
The vulnerabilities pointed out by Secunia could potentially fool users into downloading a malicious file that impersonates a regular HTML document.
The first vulnerability Secunia noted said when users try to download certain types of files while running SP2, they are notified of the potential security risk. The vulnerability reported in Secunia’s advisory bypasses that security warning with an HTTP header that alters the “Contain Location” of the file to be downloaded such that it doesn’t trigger a security alert.
The second vulnerability takes advantage of a default setting in SP2 to potentially allow a malicious file to “spoof” the file extension so that the user would believe the file in question to be something different that what it actually is.
By default, Internet Explorer offers an option called “Hide extension for known file types.” The actual spoofing takes advantage of the “execCommand()” Javascript function.
A Microsoft spokesperson told internetnews.com that the company is aware of Secunia’s listing of unfixed vulnerabilities in Internet Explorer and is actively investigating reports through the security response process.
“We have not been made aware of any active attacks against the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports,” the Microsoft spokesperson said.
“Upon completion of these investigations, Microsoft will take the appropriate action to further protect customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs.”
The Secunia advisory was not disclosed responsibly, according to
Microsoft’s spokesperson, and wasn’t reported directly to Microsoft.
“Microsoft is concerned that this new report of a vulnerability in
Internet Explorer was not disclosed responsibly, potentially putting
computer users at risk,” the Microsoft spokesperson claimed. “We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone’s best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed.”
Microsoft’s Security Response Center (MSRC) is designed for that purpose: to investigate, fix and learn from security vulnerabilities The effort involves groups such as the Secure Windows Initiative team that evaluate the potential of a security threat.
In addition, it said Product Support services provide customers information on what to do while Security Engineering works on developing mechanisms to prevent the error from re-occurring.
The company said users can report flaws in Microsoft products at:
http://www.microsoft.com/technet/security/bulletin/alertus.aspx