Information released publicly about a flaw in Microsoft’s Internet Explorer browser cannot yet be fixed and could enable an expert computer programmer to hijack personal computers, according to researchers.
Microsoft is expected to release a patch for the problem by the end of December. But at least one independent expert says the situation shows the need for greater regulation of the way computer bugs are made public.
Finnish computer security expert Jouko Pynnonen of Oy Online Solutions discovered the problem on 19 November. He released a limited description of the exploit on 26 November to the computer security mailing list Bugtraq.
Ollie Whitehouse, a London-based analyst with computer security firm @Stake, says that Pynnonen acted responsibly by restricting most of the details. But he believes that an expert could still probably figure out the problem independently.
Advertisement
“It would require someone with considerable aptitude in computer security,” Whitehouse told New Scientist. “Should he have waited to Microsoft to issue a patch? Yes, I think.”
Header manipulation
The flaw that Pynnonen has discovered exploits the different ways in which Internet Explorer treats files downloaded from the net and Microsoft operating system files. Other browsers are not integrated with Microsoft’s operating systems and are therefore unaffected.
By manipulating the header information of files before download, Pynnonen says it would be to possible to take control of another person’s computer.
“The vulnerability could be relatively easily and unnoticeably exploited to spread viruses, install distributed denial of service zombies or backdoors, format hard disks and so on,” Pynnonen wrote in his Bugtraq posting.
Applying pressure
Some industry experts argue that publicly releasing information about security holes forces software companies like Microsoft to take responsibility for their errors and produce fixes more quickly.
But others claim that releasing information could put users at unnecessary risk, including Microsoft’s head of security, Scott Culp. He wrote a recent essay calling for bug hunters to stop releasing information before patches are available.
“There are arguments for and against releasing information,” says Whitehouse. “But I think there is a middle ground.”
A number of computer industry heavyweights including Microsoft, Foundstone, Guardent and @Stake are currently drawing up a set of voluntary guidelines that many hope will bring more order to the process of bug hunting and bug fixing.
