Microsoft on Friday raised its threat rating for a security flaw in its Internet Explorer browser to "critical," in response to criticism of its initial assessment of the hole"s danger.
A representative of Microsoft, which has come under fire for its security policies, said the company had changed its original rating of a flaw in IE versions 5.5 and 6 as a result of comments posted to the Bugtraq online bulletin board by a security consultant.
"Microsoft has given this vulnerability a maximum severity rating of moderate," Larholm wrote. "Great, so arbitrary command execution, local file reading and complete system compromise is now only moderately severe, according to Microsoft."
Larholm characterized the initial rating as an attempt to downplay the second major Internet security bug found in a Microsoft product in about two weeks. The first security hole exposed millions of Web servers and PCs to potential hacking. That flaw likely affected the more than 4 million Web sites using Microsoft"s Internet Information Server software.
"It seems like Microsoft is deliberately downplaying the severity of the vulnerabilities in an attempt to gain less bad press. It sure would look bad to release two critical cumulative updates in just two weeks, but that is exactly what has been done," Larholm wrote.
But Microsoft said Friday that it had simply missed an important detail when making its initial assessment of the flaw. By causing the company to do additional testing, Larholm"s postings alerted Microsoft to the error.