CNET también está disponible en español.

Ir a español

Don't show this again

HolidayBuyer's Guide
Tech Industry

Microsoft apologizes in security flap

The company says it knew about an Internet Explorer flaw--and failed to issue a fix--a week before it accused a security company of putting IE users at risk by revealing the hole.

By Wendy McAuliffe

Microsoft has acknowledged that it knew about an Internet Explorer security hole--and failed to issue a fix--a full week before it accused a security company of placing IE users at risk by publicly disclosing details of the flaw.

A Microsoft representative retracted an earlier claim that the company first heard of the flaw on Nov. 8--the date of security company Online Solutions' public disclosure--and said Microsoft was actually notified by Online a week earlier, on Nov. 1.

Two weeks were needed to investigate the alert properly, said Neil Laver, Windows product marketing manager for Microsoft, and no security breaches occurred during the delay.

"We are obviously not going to respond instantly. We have to sieve the wheat from the chaff to determine how reliable the vulnerability warning is," said Laver. "Until we can investigate the issue, we are not going to issue a bulletin, as that would create a crying-wolf situation."

The high-risk vulnerability in versions 5.5 and 6.0 of Internet Explorer allows malicious code to gain unauthorized access to a PC user's cookies and expose the sensitive information that they contain. Cookies are text files saved on a computer's hard drive to identify the user to Web sites. Because most e-commerce Web sites use cookies to store information about users, it is possible that personal information could be exposed through the software hole.

Online Solutions discovered the hole Nov. 1 and informed Microsoft's Security Response Center of the technical details of its discovery the same day. Microsoft responded to Online, acknowledging the alert and promising to investigate the issue as quickly as possible.

But a lack of feedback on the investigation prompted Online Solutions to place increasing pressure on Microsoft to issue a bulletin about the hole. After one week of waiting, the security company went public with a press release about the flaw on Nov. 9--Microsoft published an alert on its Web site later that day.


Gartner analyst John Pescatore says as security problems escalate, businesses need to realize that the Internet isn't as reliable or stable as private networks and other utility services.

see commentary

"We decided to make the issue public," said Jyrki Salmi, managing director of Online Solutions. "We did the responsible thing. People who are using software that their business relies on to hold personal information should be aware in reasonable time that the program is not secure.

"Microsoft argued that by releasing details of the bug, it would give people time to take advantage of the vulnerability," Salmi added, "but so far we haven't heard of any security breaches."

Acknowledging that Online Solutions acted responsibly, Microsoft apologized for what it called its "inaccurate" earlier statements.

"We receive vast numbers of alerts on a daily basis," said Laver. "We are not going to respond instantly. We have to test multiple configurations and find an appropriate work-around that doesn't break Web-based applications."

The work-around, issued Nov. 9, advises customers to disable Active Scripting, a move that protects them from Web-hosted and mail-borne variants of the vulnerability. A patch was issued Nov. 14.

Staff writer Wendy McAuliffe reported from London.