Posted on 11/11/2004 2:30:02 PM PST by Prime Choice
Microsoft is admonishing those who found the IFRAME vulnerability - the flaw exploited by the bofra virus - for the way they made it public.
Microsoft has slammed the people responsible for publishing details of the vulnerability that has lead to the creation of the bofra virus.
The software giant, which has yet to release a patch for the flaw, said that the vulnerability was not reported in a responsible fashion.
In a prepared email statement from a Microsoft spokesperson, the company said: "Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. "
"We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests, by helping to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities with no exposure to malicious attackers while the patch is being developed."
The bofra virus, which antivirus companies initially believed to be a MyDoom variant, emerged on Monday after the vulnerability it was based on was published last week on a Web chat forum.
On Friday security firm Secunia issued an advisory on the vulnerability, saying that the flaw was 'extremely critical'. Chief technology officer for the company Thomas Kristensen said that 'Ned', the individual who initially found the bug, stumbled across it when testing browsers when using a publicly available tool. The tool crashed IE, so he posted a question on an Internet forum asking others to look at why the program had failed. With some additional research from others in the community, it came to light that the IFRAME flaw was causing the crash.
"Microsoft is right that those who disclose this kind of thing are irresponsible," said Kristensen. "But in this case, it's slightly different because he [Ned] published the first part and they [the other researchers] published the second part. And he didn't do it -- it was done with a tool. If you find a crash in a browser, you might not know if it's serious or not. He might not have been able to test that."
The bofra virus sends out hundreds of emails from an infected machine. The reader on the target machine follows a link sent in the email, which leads to a Web site hosted on the original infected PC. The IE exploit on that Web site turns the computer into another infected machine, and the cycle starts again. All version of the worm also open a back door to the infected computers.
Microsoft has yet to release a patch for the IE vulnerability, but advised users to upgrade to Windows XP SP2, which is apparently unaffected by the flaw.
No, reality makes them so.
However, most would agree that Bill Gates and big Al are not two of the same type of businessmen.
Only the uninformed. Did you know that Bill Gates personally gave $100 million dollars to an organization that forcibly sterilizes people and forces abortions on women?
Evil enough for you yet?
Most who are anti-MS are those who do not have the ability complete lack of ethical values to do the same in the business world or any other world for that matter as MS and Bill Gates have done.
There, fixed it for ya.
That is sure a good idea......too bad MS won't be reading this.
Let's see...UNIX was created in the 1960s. Microsoft came into existence in the 1980s.
What, precisely, are you claiming Microsoft did first? Hell, even the Windows GUI is nothing but a cheap knock-off of the Macintosh interface.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.