|
 |
 | | | | | ||||||||||||||||
| | You are in: Sci/Tech | ||||||||||||||||||
 | | Wednesday, 19 December, 2001, 11:25 GMT Microsoft closes browser holes  Microsoft has issued a patch for "critical" security holes in its popular Internet Explorer browser. The software giant said that people should apply the patch "immediately" to protect themselves against malicious hackers. Consumers who do not apply the patch leave themselves vulnerable to cleverly crafted attacks that disguise potentially pernicious programs as harmless alternatives. The vulnerabilities exist in versions 5.5 and 6.0 of Microsoft's Internet Explorer. Finnish finder The patch closes three security loopholes in Internet Explorer. The most serious security hole was discovered by Jouko Pynnonen, of Finnish security firm Oy Online Solutions. The problem revolves around the way that Internet Explorer handles the streams of webpage data sent to it as someone moves around the net. All webpages are defined using the Hypertext Markup Language (HTML).
Mr Pynnonen found that Microsoft's browser could be made to think that the HTML code it was receiving was a benign text file when in fact it was a potentially malicious program. A computer criminal or malicious hacker that wanted to exploit this vulnerability could write a webpage that, as soon as it was visited, would run a program on the visiting computer. The other vulnerabilities closed by the latest patch fix a weakness that would let a remote user look at the files on someone else's computer, and another that could make downloaded files look like something they were not. Disclosure clash Although Microsoft has moved quickly to close the latest loopholes, it has faced criticism in recent weeks for a change in the way it handles information about the security failings of its products. In October, Scott Culp, manager of Microsoft's security centre, called on the technology community to stop the wide distribution of information about security vulnerabilities in Microsoft products. Mr Culp feared that wide disclosure of vulnerabilities would aid malicious hackers seeking to exploit the security holes, as much as it would aid those Microsoft customers trying to protect themselves against attack. Instead, Mr Culp argued for restraint to allow Microsoft time to craft patches for security holes and to limit the information available to malicious hackers. Pros and cons However, security experts have criticised Mr Culp for adopting this strategy, saying that if software company did a better job of writing programs the vulnerabilities would not be discovered so often, nor be so serious. In an analysis of the advantages and disadvantages of spreading information about security holes, respected security analyst Bruce Schneier found that "full disclosure helps much more than it hurts" largely because it means that everyone gets the information about it at the same time and can do something about it. He said the public pressure that full disclosure placed on companies meant they tended to work harder to solve problems quickly and ensured software could not be compromised even before it was released. "Without publication, the security community can't learn from each other's mistakes," wrote Mr Schneier in his analysis. | | See also:  Internet links: The BBC is not responsible for the content of external internet sites Top Sci/Tech stories now:  Links to more Sci/Tech stories are at the foot of the page. | ||||||||||||||||
|
Links to more Sci/Tech stories |
 | | ^^ Back to top News Front Page | World | UK | UK Politics | Business | Sci/Tech | Health | Education | Entertainment | Talking Point | In Depth | AudioVideo ---------------------------------------------------------------------------------- To BBC Sport>> | To BBC Weather>> ---------------------------------------------------------------------------------- © MMIII|News Sources|Privacy  |
E-mail this story to a friend