Microsoft acknowledged twice in one week that it had underestimated the threats posed by two different software flaws, raising more criticism of the company's security policies.
The software giant said it plans to change the severity rating of a vulnerability in software common to Internet Explorer and other Windows applications from "important" to "critical." The move was prompted by an in-depth analysis written by the security researchers who found the flaw.
The advisory originally said the vulnerability could be used only to make Internet Explorer fail. However, after two weeks of research, security firm eEye Digital Security warned PC users that the flaw, which occurs in the handling of the open-source image format PNG (portable network graphics), could enable malicious programs to run on the victim's system.
Late last week, Microsoft raised its threat rating for a security flaw in its Internet Explorer browser to "critical," in response to criticism of its initial assessment of the hole's danger. A Microsoft representative said the company had changed its original rating of a flaw in IE versions 5.5 and 6 as a result of comments posted to the Bugtraq online bulletin board by a security consultant.
The first security hole exposed millions of Web servers and PCs to potential hacking. That flaw likely affected the more than 4 million Web sites using Microsoft's Internet Information Server software.
Microsoft also warned of eight flaws in its version of the Java virtual machine, the worst of which "could enable an attacker's Java applet to gain control over another user's system," according to the alert. The malicious program could let an attacker add, delete or change data on the victim's computer as well as run programs.
Certainly mistakes are bound to occur when writing software, observers say. But Microsoft says a research firm is very mistaken when it predicts that the growing popularity of Linux will force the software giant to bring its software to the Unix clone starting in late 2004. Microsoft, which has no love for Linux technology and its open-source philosophical underpinnings, quickly dashed cold water on the report.
From CNET News.com Week in Review - Dec. 14, 2002.