Microsoft Responds to IE Patch Complaints -- Redmondmag.com

Microsoft Responds to IE Patch Complaints

By Scott Bekker
05/20/2002

Microsoft ran into one of its classic security flaps this week over the latest Internet Explorer cumulative patch.

An Israeli security firm, GreyMagic Software, accused Microsoft on Thursday and Friday of failing to address the underlying issues that led to some of the 6 new vulnerabilities that Microsoft patched on Wednesday in MS02-023.

GreyMagic's post to a popular security mailing list raises the familiar themes of shoddy quality control and prompted quick counterreplies from Microsoft.

Microsoft acknowledged one point in the GreyMagic posts, but Microsoft officials took the opportunity to criticize GreyMagic for going public instead of trying to work with Redmond first and for misunderstanding the root cause of the problems the original IE patch fixed. Instead, Microsoft officials said the problems GreyMagic found appear to be two new security issues with Internet Explorer.

Microsoft urged users to immediately install the patch it issued May 15, and promised it was looking into the new problems.

"While it's too soon to say what the two investigations will reveal, we do want to assure customers that we will take the appropriate steps to help them keep their systems secure," a Microsoft representative wrote in an official response from the Microsoft Security Response Center.

The security bulletin was the third cumulative patch for IE this year and the fifth since November 2001. In all, the five cumulative patches have included fixes for 20 newly discovered vulnerabilities, with critical problems in each cumulative patch.

Three of the vulnerabilities in the latest cumulative patch rate a critical designation on Microsoft's threat scale. A cross-site scripting in local HTML resource problem affects IE 6.0; a local information disclosure through an HTML object affects IE 5.01, 5.5 and 6.0; and a script within cookies reading cookies affects IE 5.5 and 6.0.

The security bulletin, with the patch, is available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.