Microsoft Urges Move To IE 6 Service Pack 1 Following Code Leak

While downplaying the potential for hackers to uncover new vulnerabilities in Windows by having access to the source code, one top Microsoft Windows executive said during a monthly security briefing on Tuesday that customers using IE 5.x or IE 4.X versions should quickly download the latest IE code to protect their networks.

"Most of IE code is what was leaked," said Chris Jones, corporate vice president in the Windows Core Operating System Division, about the NT 4.0 and Windows 2000 code that leaked. "We don't believe [customers will be affected] so as long as they're current on the latest versions of IE. They need to move to IE 6 and security patches and service packs."

IE 6.0 Service Pack 1 was released during the fourth quarter of 2002 and is currently integrated into Windows XP Service Pack 1 and Windows Server 2003, Microsoft executives said. Jones also advised customers to access the latest security fixes and patches to address critical and important Windows and IE vulnerabilities, including a significant release earlier this month.

During the monthly security Webcast on Tuesday, Jones and Mike Nash, Microsoft's corporate vice president of the Security Business and Technology Unit, acknowledged Microsoft is actively investigating reports published over the weekend about a new IE vulnerability identified as a result of the leaked code.

Microsoft is confident that its own engineering staff has uncovered a good amount of the vulnerabilities, but the executives allowed for the possibility that there could be more IE 5.0 code that hackers could exploit. "We have done source code inspection, but we are doing due diligence," said Jones, noting that one of the IE vulnerabilities discussed over the weekend--in the Windows 2000 Service Pack 1--was already fixed by Microsoft in IE 6.0 Service Pack 1.

Microsoft's security executives also advised enterprise customers that are still running IE 5.5, IE 5.0 or IE 4 to disable code execution features if they don't move to IE 6.0 Service Pack 1and patches.

"We designed in security zones so [customers] can enable or disable browser features," Jones said during the one-hour Webcast. "I can set up Internet Explorer 4 and higher to not allow scripting or controls or other advanced technologies [to execute on IE]."

While several observers in the open-source and Windows communities dismissed the possibility of a large-scale attack based on the code leak late last week, one analyst acknowledged that it will be a test of Microsoft's own bug-finding capabilities. "Since Microsoft started going through its code as part of the Trustworthy Computing Initiative, it has had difficulty finding all the vulnerabilities," said Michael Cherry, an analyst with Directions on Microsoft, a newsletter in Kirkland, Wash. "I think that the latest Windows vulnerability, ASN.1, was found by [security vendor] eEye, not Microsoft. Maybe many eyes would improve this, but it still requires substantial programming knowledge to look at code like this."

Late last week, a published report in BetaNews traced the leak to Microsoft ISV partner Mainsoft, Redwood Shores, Calif. While Mainsoft declined to acknowledge accountability, executives said they are working with Microsoft on the issue.

While Microsoft executives refuse to discuss the cause, they reiterated that the leak did not arise from a breach of the Microsoft corporate network or from the company's shared source licensing program, which distributes source code to select government, academic, corporate and systems integration entities.

"We're still working on the details and can't comment on active investigation," said Jones, noting Microsoft is working with the FBI to identify who is responsible. "We know it wasn't a breach of our network [or shared source]. We believe it came from another channel."