All the latest UK technology news, reviews and analysis
|
|
|
10 Jul 2009
Microsoft has come under fire for leaving a security flaw affecting Internet Explorer unpatched for over a year, but the software giant has responded by saying it had to ensure customers would not be adversely affected by any fix it issued.
Earlier this week, Microsoft issued a Security Advisory note stating it was investigating a reported vulnerability in its Microsoft Video ActiveX Control.
It later emerged that the two researchers who discovered the flaw, Ryan Smith and Alex Wheeler working at IBM Internet Security Systems, submitted an official report to Microsoft as early as spring 2008.
Microsoft said that an attacker who successfully exploited the vulnerability in question could gain the same user rights as the local user if they are using Internet Explorer, and execution may not require any action on the user's behalf, unlike many other exploits that trick the user into running them.
In a blog posting, Mike Reavey, head of Microsoft's Security Response Center (MSRC), said the company is working towards a security update, but that it decided to issue workaround details to customers when it found attackers were beginning to exploit the vulnerability.
"We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete the investigation and deliver a security update that you can deploy broadly with confidence," Reavey said.
Microsoft engineers have decided the best approach to protect customers is to disable the functionality targeted in the attack, as it claims there are was no known uses for these interfaces in Internet Explorer, but this approach must be taken with caution.
"When we disable or remove functionality, we have to engage in even more research and testing than usual, to ensure that we can take this step and not cause more harm than good by inadvertently 'breaking' applications," said Reavey.
While Microsoft continues to work on the issue, customers can follow instructions here to implement a workaround for the flaw.
Latest stories from Operating Systems
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Hands on with the highly anticipated Android 4.0 Ice Cream Sandwich hybrid tablet
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
Low Latency Network Engineer, Senior Network Engineer...
SQL DBA - (North London) North London , £45k - 50k...
Business Architect – (North London) £65,000 – 75,000k...
Graduate Software Engineer - Javascript OR Android...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Oh, give me a break!
"Microsoft has come under fire for leaving a security flaw affecting Internet Explorer unpatched for over a year, but the software giant has responded by saying it had to ensure customers would not be adversely affected by any fix it issued." So Microsoft contends that some minor inconvenience that *might* have been caused by someone deliberately using an undocumented "feature" (aka "GLARING SECURITY HOLE") in one of their products could somehow be more adverse than the absolute certainty that malicious persons who are almost certainly identity thieves and botnet herders will pwn the users' PCs? That is totally unbelievable. Frankly, it's a crock of sh*t. I believe that MS chose to ignore the problem until it was brought to the attention of the public, just like it has with so many other security issues.
Posted by: Old Man Dotes 10 Jul 2009