Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Researcher: Microsoft Security Team Dismissive, Adversarial

A security researcher who disclosed a zero-day vulnerability in Internet Explorer on Wednesday complained that Microsoft's security team gave him the brush-off and sent him a "rather threatening e-mail."

Ironically, the bug is in how IE warns users of potentially unsafe active content on a Web site, such as an ActiveX control.

Matthew Murphy posted a detailed description of the IE bug to the Full Disclosure security mailing list, where he noted that security dialogs could be used by attackers to hijack computers or install their own code on the compromised machines.

The security dialogs, said Murphy, are an exploitable weakness, especially in older versions of Windows, such as Windows 98, Windows 2000, and Windows XP SP1. But even newer OSes are vulnerable.

"On newer systems [Windows XP SP2, Windows Server 2003] the impact of this vulnerability is more limited, but remains serious," he said.

  • 1