Experts: Don't rely solely on patches

Following unresolved ActiveX vulnerability in Internet Explorer, security experts say users should take extra precaution and not rely on critical patches alone.
Written by Victoria Ho, Contributor

Users should take extra precautions against security holes and not rely only on critical patches to ensure safety, say security experts.

According to reports, Microsoft was aware of an ActiveX vulnerability affecting its Internet Explorer browser for over a year, but left it open. It issued a security advisory earlier this week, saying it was investigating the hole.

It has also issued a temporary workaround, till the issue is resolved.

Internet Explorer is used by almost 70 percent of the world, as of February this year.

The software giant's failure to issue a patch has led to a flurry of reports online, with some researchers comparing the potential spread of the vulnerability to the Conficker virus.

Paul Ducklin, head of technology for Asia-Pacific at Sophos, told ZDNet Asia the dangers of a software maker taking too long to fix a hole is that it leaves the opportunity open for malicious attacks.

While Microsoft may have not issued a patch sooner because it was wary of creating new problems in its attempt to fix the old, the onslaught of malware while the hole stays open "means you have to rush out a fix anyway", Ducklin said.

"A year sounds like a long time to me, though. Perhaps it could have been a bit swifter in this case," he said.

Ducklin added that users employing antivirus software are protected at a secondary level, with the software intended to catch and block malicious files should they encounter them.

Chia Wing Fei, security response senior manager at F-Secure Security Labs, also acknowledged the possibility of Microsoft's need to ensure stability of the patch.

According to Chia, another way to avoid the Internet Explorer hole is by using alternative browsers, such as Firefox, Opera or Chrome.

Microsoft was unable to respond by press time.

Editorial standards