Researcher: Microsoft Security Team Dismissive, Adversarial

A security researcher who disclosed a zero-day vulnerability in Internet Explorer on Wednesday complained that Microsoft's security team gave him the brush-off and sent him a "rather threatening e-mail."

Ironically, the bug is in how IE warns users of potentially unsafe active content on a Web site, such as an ActiveX control.

Matthew Murphy posted a detailed description of the IE bug to the Full Disclosure security mailing list, where he noted that security dialogs could be used by attackers to hijack computers or install their own code on the compromised machines.

The security dialogs, said Murphy, are an exploitable weakness, especially in older versions of Windows, such as Windows 98, Windows 2000, and Windows XP SP1. But even newer OSes are vulnerable.

"On newer systems [Windows XP SP2, Windows Server 2003] the impact of this vulnerability is more limited, but remains serious," he said.Some user interaction is required for a successful attack -- socially engineered attacks are now commonplace -- but it wouldn't be tough to trick users, he alleged.

"A malicious user could create content [on a Web site] that would request the user to click an object or press a sequence of keys. By delivering a security prompt during this process, the site could subvert the prompting and obtain permission for actions that were not necessarily authorized."

Murphy first notified Microsoft of the flaw in October 2005, but wasn't contacted by a Microsoft Security Response Center (MSRC) staffer until February 2006. The MSRC dismissed the vulnerability as not serious.

"At that time, I was told that the vulnerability had been classed as a 'Service Pack' fix, meaning that users of Windows 2000 will not receive a fix for this vulnerability," wrote Murphy.

In 2004, Microsoft dumped plans to release a fifth and final service pack, and instead said it would later unveil an "Update Rollup," which it did in mid-2005.Murphy claimed that the MSRC disputed his assessment of the vulnerability, and in March, asked for exploit code -- proof that the bug would be used in an attack -- in "a rather threatening e-mail." The MSRC also asked Murphy to justify " why this issue is so important."

Since March 24, Murphy has not heard from Microsoft.

"I have a long track record dealing with [MSRC], about four years now, but this [attitude] was new and certainly not something I was accustomed to," said Murphy.

"The e-mail I got was hostile, as if whoever wrote it had a very bad day."

In the e-mail, the Microsoft staffer told him "I hope you're reconsidering going public [with the vulnerability]. By going public, you will put our customers at risk. You may think about how going public will affect your relationship going forward with MSRC."Typically, Microsoft takes a strong stance against researchers who disclose details of a bug before Microsoft has patched the flaw, usually labeling the practice as "irresponsible" in its advisories and press releases.

"Allowing vendors indefinite time to patch or respond without some accountability on their end is what's irresponsible," Murphy countered. "They've had their shot."