, The Register 2001-01-19
Redmond says hasty disclosure, not buggy software, puts customers at risk.
It is simply not possible for any vendor -- even Microsoft -- to develop a high-quality patch in only a few days.
As previously reported, a vulnerability involving the "skins" feature of the application exists which could allow hackers to read files on a victim's PC. According to Guninski, if the bug is properly exploited it could allow an attacker to gain control of a victim's machine.
Microsoft is working on a fix that it said will provide a complete solution to the problem. In the interim it is advising users to change their security zone settings within Internet Explorer.
Michael Aldridge, a lead product manager in Microsoft's digital media division, told The Register that Guninski had only given the software giant a few days notice and said he acting "irresponsibly" in publicizing the flaw.
"The vast majority of security professionals handle vulnerabilities in a way that minimizes potential harm to users. Unfortunately, there's a small number who, like Mr. Guninski, handle them irresponsibly and put customers at risk," he said.
"In this case, for instance, he publicized the issue only a few days after reporting it to us. It is simply not possible for any vendor -- even Microsoft -- to develop a high-quality patch in only a few days. Our focus is making sure we deliver a complete patch and that does take time and testing."
Guninski said he notified Microsoft on Thursday, January 11 not January 12 and then published an advisory on Monday. He denies he acted irresponsibly, because a workaround was available, and alleged that Microsoft has not fixed another Internet Explorer bug he notified them about as long ago as last July.
"I totally do not agree with Microsoft's speculations that I am the problem for their buggy software. In my opinion they do not care about the security of their customers as they claim, they care about their image in the press," he said.
Guninski has a penchant for uncovering flaws in Internet Explorer and the row about Windows Media Player is not the first time he has clashed swords with Microsoft. Previous Guninski posting of flaws with Microsoft software on full disclosure security mailing list like BugTraq have attracted criticism from Microsoft over short notice periods, but the latest row signals a new low in the software giant's relationship with the veteran Bulgarian bug hunter.