Microsoft has come under fire for leaving a security flaw affecting Internet Explorer unpatched for over a year, but the software giant has responded by saying it had to ensure customers would not be adversely affected by any fix it issued.
Earlier this week, Microsoft issued a Security Advisory note stating it was investigating a reported vulnerability in its Microsoft Video ActiveX Control.
It later emerged that the two researchers who discovered the flaw, Ryan Smith and Alex Wheeler working at IBM Internet Security Systems, submitted an official report to Microsoft as early as last year.
Microsoft said that an attacker who successfully exploited the vulnerability in question could gain the same user rights as the local user if they are using Internet Explorer, and execution may not require any action on the user's behalf, unlike many other exploits that trick the user into running them.
In a blog posting, Mike Reavey, head of Microsoft's Security Response Center (MSRC), said the company is working towards a security update, but that it decided to issue workaround details to customers when it found attackers were beginning to exploit the vulnerability.
"We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete the investigation and deliver a security update that you can deploy broadly with confidence," Reavey said.
Microsoft engineers have decided the best approach to protect customers is to disable the functionality targeted in the attack, as it claims there are was no known uses for these interfaces in Internet Explorer, but this approach must be taken with caution.
"When we disable or remove functionality, we have to engage in even more research and testing than usual, to ensure that we can take this step and not cause more harm than good by inadvertently 'breaking' applications," said Reavey.
While Microsoft continues to work on the issue, customers can follow instructions here to implement a workaround for the flaw.
Microsoft responds to criticism over late fix
By
Daniel Robinson
on Jul 13, 2009 12:28PM
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
How NinjaOne Is Supporting The Channel As It Builds An Innovative Global Partner Program
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Kaseya Dattocon APAC 2024 is Back
Tech For Good program gives purpose and strong business outcomes
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Sponsored Whitepapers
-1.jpg&w=100&c=1&s=0)
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
.png&w=100&c=1&s=0)
