Microsoft admits IE security alert lapse

Summary:Last week Microsoft called a security firm 'irresponsible' for releasing details of an IE security hole. Now it admits the firm gave it a week's notice before going public.

Microsoft has admitted that it knew about a security hole in Internet Explorer (IE) a full week before it accused a security firm of acting irresponsibly for publicly disclosing details of the exploit.

Microsoft has retracted its earlier claim that the first it heard of the exploit was on 8 November -- the date of the public disclosure -- and now admits that it was actually notified a week earlier, on 1 November. Microsoft insists that two weeks were needed to investigate the alert properly, and maintains that no security breaches occurred through the delay.

"We are obviously not going to respond instantly--we have to sieve the wheat from the chaff to determine how reliable the vulnerability warning is," said Neil Laver, Windows product marketing manager for Microsoft. "Until we can investigate the issue, we are not going to issue a bulletin, as that would create a crying wolf situation."

The high-risk vulnerability in IE 5.5 and IE 6.0 allows malicious code to gain unauthorized access to a user's cookies and expose the sensitive information that they contain. Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers, and used to retain a Web sites' settings for customers across multiple sessions. Because most e-commerce Web sites use cookies to store sensitive information about users, it is possible that personal information could be exposed through the software hole.

IT security firm Online Solutions discovered the exploit on 1 November and informed Microsoft's Security Response Center with the technical details of its discovery on the same day. Microsoft acknowledged the alert along with the promise that it would investigate the issue as quickly as possible. But a lack of feedback on the investigation prompted Online Solutions to place increasing pressure on Microsoft to issue a bulletin about the IE hole. After one week of waiting, the security company went public with a press release about the exploit on 9 November -- Microsoft published an alert on its Web site later that day.

"We decided to make the issue public. We did the responsible thing -- people who are using software that their business relies on to hold personal information, should be aware in reasonable time that the program is not secure," said Jyrki Salmi, managing director of Online Solutions. "Microsoft argued that by releasing details of the bug, it would give people time to take advantage of the vulnerability, but so far we haven't heard of any security breaches."

Admitting that Online Solutions acted responsibly, Microsoft apologized for what it called its 'inaccurate' earlier statements.

"We receive vast numbers of alerts on a daily basis -- we are not going to respond instantly," said Laver. "We have to test multiple configurations, and find an appropriate workaround that doesn't break Web-based applications."

The workaround, issued on 9 November, advised customers to disable Active Scripting, which would protect them from Web-hosted and mail-borne variants of the vulnerability. A patch was issued on 14 November.

Topics: Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.