Microsoft Fixes Flaw in Xbox Web Site

A security company often at odds with Microsoft said Wednesday it had identified a vulnerability in the Redmond, Wash.-based developer's Xbox Web site that could be used by phishers to shanghai personal information.

The bug, called a "cross-scripting" vulnerability, affected Microsoft's Xbox 360 site, where gamers can get a sneak peak at the upcoming console's features. According to Finjan Software, the vulnerability could let phishers harvest such things as e-mail addresses and credit card numbers.

Finjan told Microsoft of its findings last week; Microsoft quickly modified the site to eliminate the vulnerability.

"This discovery is another example of our cooperation with Microsoft and other leading software vendors to fix vulnerabilities before they are exploited by the hacking community," said Shlomo Touboul, Finjan's chief executive in a statement.

That conciliatory tone is at odds with past blow-ups between Finjan and Microsoft. Last November, for instance, Finjan claimed that Windows XP SP2 had 10 unpatched vulnerabilities, and Microsoft responded by calling the San Jose, Calif.-based security firm's claims "potentially misleading and possibly erroneous."

At the time, a Microsoft spokesperson said "We encourages Finjan to abide by the principles of responsible disclosure and to decline to provide further comment or details on the alleged vulnerabilities until Microsoft is able to complete its investigation and can respond."

Microsoft officials have been relentless in their criticism of security researchers whom they think prematurely disclose vulnerability information.