Microsoft
apologizes in security flap
Microsoft has acknowledged that it knew about an Internet Explorer
security hole--and failed to issue a fix--a full week before it accused
a security company of placing IE users at risk by publicly disclosing
details of the flaw.
A Microsoft representative retracted an earlier claim that the
company first heard of the flaw on Nov. 8--the date of security company
Online Solutions' public disclosure--and said Microsoft was actually
notified by Online a week earlier, on Nov. 1.
Two weeks were needed to investigate the alert properly, said Neil
Laver, Windows product marketing manager for Microsoft, and no security
breaches occurred during the delay.
"We are obviously not going to respond instantly. We have to
sieve the wheat from the chaff to determine how reliable the
vulnerability warning is," said Laver. "Until we can
investigate the issue, we are not going to issue a bulletin, as that
would create a crying-wolf situation."
The high-risk vulnerability in versions 5.5 and 6.0 of Internet
Explorer allows malicious code to gain unauthorized access to a PC
user's cookies and expose the sensitive information that they contain.
Cookies are text files saved on a computer's hard drive to identify the
user to Web sites. Because most e-commerce Web sites use cookies to
store information about users, it is possible that personal information
could be exposed through the software hole.
Online Solutions discovered the hole Nov. 1 and informed Microsoft's
Security Response Center of the technical details of its discovery the
same day. Microsoft responded to Online, acknowledging the alert and
promising to investigate the issue as quickly as possible.
But a lack of feedback on the investigation prompted Online Solutions
to place increasing pressure on Microsoft to issue a bulletin about the
hole. After one week of waiting, the security company went public with a
press release about the flaw on Nov. 9--Microsoft published an alert on
its Web site later that day.
"We decided to make the issue public," said Jyrki Salmi,
managing director of Online Solutions. "We did the responsible
thing. People who are using software that their business relies on to
hold personal information should be aware in reasonable time that the
program is not secure.
"Microsoft argued that by releasing details of the bug, it would
give people time to take advantage of the vulnerability," Salmi
added, "but so far we haven't heard of any security breaches."
Acknowledging that Online Solutions acted responsibly, Microsoft
apologized for what it called its "inaccurate" earlier
statements.
"We receive vast numbers of alerts on a daily basis," said
Laver. "We are not going to respond instantly. We have to test
multiple configurations and find an appropriate work-around that doesn't
break Web-based applications."
The work-around, issued Nov. 9, advises customers to disable Active
Scripting, a move that protects them from Web-hosted and mail-borne
variants of the vulnerability. A patch was issued Nov. 14.
