Microsoft has acknowledged that it knew about an Internet Explorer security hole--and failed to issue a fix--a full week before it accused a security company of placing IE users at risk by publicly disclosing details of the flaw.
A Microsoft representative retracted an earlier claim that the company first heard of the flaw on Nov. 8--the date of security company Online Solutions' public disclosure--and said Microsoft was actually notified by Online a week earlier, on Nov. 1.
Two weeks were needed to investigate the alert properly, said Neil Laver, Windows product marketing manager for Microsoft, and no security breaches occurred during the delay.
"We are obviously not going to respond instantly. We have to sieve the wheat from the chaff to determine how reliable the vulnerability warning is," said Laver. "Until we can investigate the issue, we are not going to issue a bulletin, as that would create a crying-wolf situation."
Online Solutions discovered the hole Nov. 1 and informed Microsoft's Security Response Center of the technical details of its discovery the same day. Microsoft responded to Online, acknowledging the alert and promising to investigate the issue as quickly as possible.
But a lack of feedback on the investigation prompted Online Solutions to place increasing pressure on Microsoft to issue a bulletin about the hole. After one week of waiting, the security company went public with a press release about the flaw on Nov. 9--Microsoft published an alert on its Web site later that day.
Gartner analyst John Pescatore says as security problems escalate, businesses need to realize that the Internet isn't as reliable or stable as private networks and other utility services.
"Microsoft argued that by releasing details of the bug, it would give people time to take advantage of the vulnerability," Salmi added, "but so far we haven't heard of any security breaches."
Acknowledging that Online Solutions acted responsibly, Microsoft apologized for what it called its "inaccurate" earlier statements.
"We receive vast numbers of alerts on a daily basis," said Laver. "We are not going to respond instantly. We have to test multiple configurations and find an appropriate work-around that doesn't break Web-based applications."
The work-around, issued Nov. 9, advises customers to disable Active Scripting, a move that protects them from Web-hosted and mail-borne variants of the vulnerability. A patch was issued Nov. 14.
Staff writer Wendy McAuliffe reported from London.