Silicon Investor (SI) -- The First Internet Community

STOCKTALK

We've detected that you're using an ad content blocking browser plug-in or feature. Ads provide a critical source of revenue to the continued operation of Silicon Investor. We ask that you disable ad blocking while on Silicon Investor in the best interests of our community. If you are not using an ad blocker but are still receiving this message, make sure your browser's tracking protection is set to the 'standard' level.

Pastimes : Computer Learning -- Ignore unavailable to you. Want to Upgrade?

To: thecow who wrote (26443)	3/29/2002 8:47:18 PM
From: SIer formerly known as Joe B.	Respond to of 110655

2 NEW CRITICAL UPDATES.......... "Critical" holes trouble Microsoft Fri Mar 29, 8:05 PM ET David Becker CNET News.com story.news.yahoo.com Microsoft released a patch late Thursday for a pair of "critical" security holes in its Internet Explorer Web browser but was still investigating a widely publicized vulnerability in its Windows NT and Windows 2000 (news - web sites) operating systems. The browser patch corrects two flaws. The first makes it possible for a malicious hacker to place code on a Web surfer's PC by way of a cookie. Cookies are small files that Web sites place in a secure area on surfers' PCs to track return visits. The flaw allows a script embedded in a cookie to be saved outside the secure area, on the PC's hard disk. The code can then be triggered the next time the surfer visits the site. The second flaw would allow a malicious programmer to include code on a Web site that would automatically execute programs already present on a surfer's PC once the surfer visited the site. Microsoft rated both flaws "critical" and advised PC users running version 5 through 6 of Internet Explorer to promptly download the new patch. Microsoft does not have a patch yet, however, for a recently publicized hole in the software-debugging component of Windows NT and Windows 2000. Malicious users could take advantage of the flaw in the debug tool to gain elevated privileges on a server running either of the operating systems. They could then access, modify and delete otherwise protected files. Reports of the hole began circulating in mid-March by way of security discussion groups and other Internet resources. But the flaw gained new attention Thursday when security services company Entercept Security Technologies issued a bulletin warning customers of the hole. Entercept security expert Chad Harrington said the hole poses a moderate risk, because the attacker would have to exploit it in person rather than over the Internet. He said Entercept contacted Microsoft about the flaw more than two weeks ago but decided to go public with the problem now because news of the risk was spreading while Microsoft was still preparing a response. "We were simply trying to educate people about something people in the hacking community already know about," Harrington said. "Generally we don't feel security researchers should publicize vulnerabilities until the software vendor has a fix...but this was a special case. The poison was already out there." Microsoft is still researching the vulnerability, the company said in a statement, and it criticized those who originally publicized the vulnerability on the Bugtraq security discussion site. "We are concerned that this report has gone public before we've had a fair chance to investigate it," the statement read. "Its publication may cause our customers needless confusion and apprehension or possibly even put them at risk. Responsible security researchers work with the vendor of a suspected vulnerability issue to ensure that countermeasures are developed before the issue is made public and customers are needlessly put at risk." Microsoft is working with security researchers to develop guidelines about how and when software vulnerabilities should be reported. The issue has become part of the company's "Trustworthy Computing" campaign to make security a priority in its products. Harrington said a temporary fix for the vulnerability was available from the Computer Emergency Response Team at the University of Stuttgart, Germany.