Microsoft issues patch for IE hole

Summary:Microsoft says the week it took to develop the patch was speedy. Company execs were incensed that the flaw was released directly to the public.

Microsoft has issued a patch for a serious HTML vulnerability in Internet Explorer (IE), which would allow hackers to gain access to a user's cookies and expose the sensitive information that they contain.

The exploit was discovered on November 8, and was reported publicly rather than directly to Microsoft. On the same day, the software giant advised customers to disable Active Scripting, which would protect them from the Web-hosted and mail-bourne variants of the vulnerability. Microsoft is insisting that the patch released on November 14 represents a fast turn-around by its security team.

"The vulnerability was publicly disclosed by someone who discovered the vulnerability on November 8, which was extremely irresponsible," said a spokesperson at Microsoft. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."

The high-risk vulnerability in IE 5.5 and 6.0 allows malicious code to gain unauthorised access to the cookies that are used to customise and retain a site's setting for a customer across multiple sessions. Because some e-commerce Web sites use cookies to store sensitive information about users, it is possible that personal information could be exposed through the software hole.

"It is a serious issue--people have always been worried about cookies, but have never considered that the information could be used by someone else from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.

Read thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.

Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say "this is me"--the only alternative is digital certificates," said Read.

Topics: Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.