Microsoft upgrades flaw to "critical"

For the second time in a week, Microsoft has acknowledged that its initial estimation of a software flaw underrated the true threat posed by the vulnerability.

The software giant said yesterday that it plans to change the severity of a vulnerability in software common to Internet Explorer and other Windows applications from "important" to "critical." The move was prompted by an in-depth analysis written by the security researchers who found the flaw.

"We believe that there is enough of a suggestion in this data to take action to protect customers," said Steve Lipner, director of Microsoft's security response centre. "We are going to change the bulletin."

The advisory originally said the vulnerability could be used only to make Internet Explorer fail. However, after two weeks of research, security firm eEye Digital Security warned PC users that the flaw, which occurs in the handling of the open-source image format PNG (portable network graphics), could enable malicious programs to run on the victim's system.

"It was very misleading to call it a (moderate) risk," said Marc Maiffret, chief hacking officer for eEye. "It is an exploitable vulnerability that can attack computers just by (the user) looking at an image."

This is the second time in a week that Microsoft has had to upgrade the severity of a vulnerability.

In early December, Microsoft upgraded to "critical" another "moderate" flaw after the company acknowledged that it has missed important details about how the vulnerability could be exploited to attack a system. Microsoft added the "important" classification in November as the second-most severe rating for flaws.

Microsoft's Lipner said that the company is looking into how to avoid such mistakes in the future.

"Building these exploits is more art than science," he said. "We are reviewing what we do to reproduce and evaluate these things."

On Wednesday, Microsoft warned of eight flaws in its version of the Java virtual machine, the worst of which "could enable an attacker's Java applet to gain control over another user's system," according to the alert. The malicious program could let an attacker add, delete or change data on the victim's computer as well as run programs.

In the end, eEye's Maiffret chalked up the incident to mischance.

"Mistakes happen," he said. "We just hope that other companies take the extra step to get the right information out."

See http://www.microsoft.com/technet for more information.

Robert Lemos writes for News.com