The exploit was discovered on November 8, and was reported publicly rather than directly to Microsoft. On the same day, the software giant advised customers to disable Active Scripting, which would protect them from the Web-hosted and mail-bourne variants of the vulnerability. Microsoft is insisting that the patch released on November 14 represents a fast turn-around by its security team.
"The vulnerability was publicly disclosed by someone who discovered the vulnerability on November 8, which was extremely irresponsible," said a spokesperson at Microsoft. "The immediate action that we took was to issue a work-around so that system administrators could protect themselves, and a patch was issued yesterday."
"It is a serious issue--people have always been worried about cookies, but have never considered that the information could be used by someone else from a Web site that they run," said Mark Read, security analyst at MIS Corporate Defence Solutions.
Read thinks it unlikely that the privacy policies of e-commerce sites will allow customer credit card details to be displayed as cookie information, but there is the potential for hackers to use the information to order goods online.
Cookies are text files, saved on a computer hard drive as a unique reference for identifying individual customers. "There is no easy way to get around cookies, as there needs to be some way of placing a unique identifier on a computer to say "this is me"--the only alternative is digital certificates," said Read.