Microsoft slammed over IE flaws

Microsoft is still investigating flaws found last month in Internet Explorer that could allow malicious hackers to access users' passwords for e-commerce and online banking sites.

Israeli security consultancy GreyMagic has criticised Microsoft for its slow response to the nine vulnerabilities in Internet Explorer versions 5.5 and 6.0, eight of which were rated 'critical'.

Customers with the affected version of Microsoft's browser could be fooled into thinking that a forged web page is from a trusted e-commerce site, and an attacker could steal private local documents and cookies.

"Stealing cookies and forging website content could help the attacker get hold of the victim's password in an email service, bank or other sensitive domain, regardless of Secure Sockets Layer [encryption]," said Lee Dagon, head of research and development at GreyMagic.

Microsoft has hit back at the company for disclosing the flaws before they were validated, and claimed that it is still investigating the vulnerabilities.

Simon Conant, of the product support services group at Microsoft, said: "First we have to find out if these claims really are true and that we don't already know about them or have already fixed them.

"Then we will begin the process of fixing them and getting the fix out."

He admitted that several customers had enquired about the vulnerabilities, but said that Microsoft had not issued any formal alert.

"I cannot begin to hazard a guess at the time scale for this, but it is far too early to give any more details because we have to validate it ourselves first," explained Conant.

But Dagon dismissed Microsoft's response. "Anyone can plainly see that the vulnerabilities exist by using the proof-of-concept demonstrations we supplied when we released the advisory," he said.

Customers with up-to-date Internet Explorer security patches are unlikely to be at risk, and GreyMagic has admitted that there is no proof of any exploitation of the flaws outside its test labs.