Microsoft upgrades a second risk rating

For the second time this month Microsoft will raise the risk rating on a flaw affecting Internet Explorer (IE) after experts told...

For the second time this month Microsoft will raise the risk rating on a flaw affecting Internet Explorer (IE) after experts told the company it underrated the issue.

The cumulative patch announced on 20 November in Microsoft's security bulletin MS02-066 for the IE Web browser would now be rated "critical", rather than "important", Microsoft director of security assurance Steve Lipner.

Microsoft initially thought a buffer overrun that results when PNG (Portable Network Graphics) files are opened could only be exploited to cause IE, Microsoft Office applications or the Microsoft Index Server, to fail.

Now Microsoft has warned successful exploitation of the flaw could allow an attacker to gain control over a user's machine.

Security vendor eEye Digital Security, the discoverer of the PNG vulnerability, suggested the flaw should get the highest risk rating as it allowed an attacker to run code on a victim's PC. Microsoft responded by raising the severity rating of bulletin MS02-066, although it has not yet been able to verify the exploit, Lipner said.

Buffer overrun flaws generally allow an attacker to take over a user's machine. An attacker exploits an unchecked buffer in a program to load his own code onto a system and run it.

This is the second time this month that Microsoft has been forced to increase the severity rating on a security vulnerability affecting IE, the Web browser used by millions worldwide.

Two weeks ago, Microsoft increased from "moderate" to "critical" the rating on a flaw in an IE security feature discovered by GreyMagic Software.

Under Microsoft's security rating system, changed last month, critical vulnerabilities are those that could be exploited to allow Internet worms to spread without user action. Vulnerabilities rated "important" are those that could expose user data or threaten system resources.

"We are continuing to review our processes for reproducing reported vulnerabilities, and for working with external security researchers to ensure that our severity ratings are as accurate as possible," said Lipner.

The cumulative patch announced in MS02-066 provided all previously released fixes for IE 5.01, IE 5.5 and IE 6.0 and patched six other new vulnerabilities. To exploit the PNG vulnerability, an attacker would have to lure a user to a Web site hosting a deliberately malformed PNG file, Microsoft said. According to eEye, an e-mail-based attack is also possible.

More details on the PNG flaw can be found in Microsoft security bulletin MS02-066 at:

Read more on Operating systems software