IE hole sparks fresh concerns

A further hole in Microsoft's Internet Explorer has been revealed which could lead to sensitive information being compromised, and no patch has yet been offered.

Microsoft issued a security bulletin after it was revealed that a vulnerability exists in IE 5.5 and 6.0 that may allow hackers to use a modified URL to gain unauthorised access to users' cookies.

The flaw, rated as a high security risk by Microsoft, was discovered by Finnish security firm Online Solutions.

It has sparked a war of words between Microsoft and the security firm, with the software giant accusing the Finnish firm of acting "irresponsibly" by releasing details of the vulnerability before a patch was developed.

For its part, Online Security claims it provided adequate notice, and was not taken seriously by Microsoft.

Until a patch is released, system administrators should disable active scripting in their browsers, said Graham Cluley, senior technology consultant at security firm Sophos.

"History shows us that there are malicious people out there who will attempt to exploit this," he said.

Microsoft will be tainted by the volume of security holes associated with its products, but the company has a good history of working with firms to develop patches before vulnerabilities were made public, he added.

"A code of conduct on how to deal with vulnerabilities would help vendors and end-users. Improving the mechanism for delivering patches would also improve security," he said.

Security companies @Stake, BindView, Foundstone, Guardent and Internet Security Systems are to join Microsoft in forming a hacker watchdog group called The Responsible Disclosure Forum.

The forum's aim is to establish guidelines and codes of conduct for releasing information about software vulnerabilities.

Two weeks is a reasonable time period to expect a software vendor to produce a patch or workaround in response to a vulnerability, said John Pescatore, vice-president of information security strategies at analyst firm Gartner.

Additional time should also be allowed for regression testing of patches. "Any vendor that cannot respond in this time frame should not sell software that will be exposed to the internet," he said.