Microsoft admits IE security alert lapse

Microsoft has admitted that it knew about a security hole in Internet Explorer (IE) a full week before it accused a security firm of acting irresponsibly for publicly disclosing details of the exploit.

Microsoft has retracted its earlier claim that the first it heard of the exploit was on 8 November -- the date of the public disclosure -- and now admits that it was actually notified a week earlier, on 1 November. Microsoft insists that two weeks were needed to investigate the alert properly, and maintains that no security breaches occurred through the delay.

"We are obviously not going to respond instantly -- we have to sieve the wheat from the chaff to determine how reliable the vulnerability warning is," said Neil Laver, Windows product marketing manager for Microsoft. "Until we can investigate the issue, we are not going to issue a bulletin, as that would create a crying wolf situation."

The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorised access to a user's cookies and expose the sensitive information that they contain. Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers, and used to retain a Web sites' settings for customers across multiple sessions. Because most e-commerce Web sites use cookies to store sensitive information about users, it is possible that personal information could be exposed through the software hole.

IT security firm Online Solutions discovered the exploit on 1 November and informed Microsoft's Security Response Centre with the technical details of its discovery on the same day. Microsoft acknowledged the alert along with the promise that it would investigate the issue as quickly as possible. But a lack of feedback on the investigation prompted Online Solutions to place increasing pressure on Microsoft to issue a bulletin about the IE hole. After one week of waiting, the security company went public with a press release about the exploit on 9 November -- Microsoft published an alert on its Web site later that day.

"We decided to make the issue public. We did the responsible thing -- people who are using software that their business relies on to hold personal information, should be aware in reasonable time that the programme is not secure," said Jyrki Salmi, managing director of Online Solutions. "Microsoft argued that by releasing details of the bug, it would give people time to take advantage of the vulnerability, but so far we haven't heard of any security breaches."

Admitting that Online Solutions acted responsibly, Microsoft apologised for what it called its 'inaccurate' earlier statements.

"We receive vast numbers of alerts on a daily basis -- we are not going to respond instantly," said Laver. "We have to test multiple configurations, and find an appropriate workaround that doesn't break Web-based applications."

The workaround, issued on 9 November, advised customers to disable Active Scripting, which would protect them from Web-hosted and mail-borne variants of the vulnerability. A patch was issued on 14 November.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.