Microsoft has retracted its earlier claim that the first it heard of the exploit was on 8 November -- the date of the public disclosure -- and now admits that it was actually notified a week earlier, on 1 November. Microsoft insists that two weeks were needed to investigate the alert properly, and maintains that no security breaches occurred through the delay.
"We are obviously not going to respond instantly--we have to sieve the wheat from the chaff to determine how reliable the vulnerability warning is," said Neil Laver, Windows product marketing manager for Microsoft. "Until we can investigate the issue, we are not going to issue a bulletin, as that would create a crying wolf situation."
IT security firm Online Solutions discovered the exploit on 1 November and informed Microsoft's Security Response Center with the technical details of its discovery on the same day. Microsoft acknowledged the alert along with the promise that it would investigate the issue as quickly as possible. But a lack of feedback on the investigation prompted Online Solutions to place increasing pressure on Microsoft to issue a bulletin about the IE hole. After one week of waiting, the security company went public with a press release about the exploit on 9 November -- Microsoft published an alert on its Web site later that day.
"We decided to make the issue public. We did the responsible thing -- people who are using software that their business relies on to hold personal information, should be aware in reasonable time that the program is not secure," said Jyrki Salmi, managing director of Online Solutions. "Microsoft argued that by releasing details of the bug, it would give people time to take advantage of the vulnerability, but so far we haven't heard of any security breaches."
Admitting that Online Solutions acted responsibly, Microsoft apologized for what it called its 'inaccurate' earlier statements.
"We receive vast numbers of alerts on a daily basis -- we are not going to respond instantly," said Laver. "We have to test multiple configurations, and find an appropriate workaround that doesn't break Web-based applications."
The workaround, issued on 9 November, advised customers to disable Active Scripting, which would protect them from Web-hosted and mail-borne variants of the vulnerability. A patch was issued on 14 November.