A bug in Microsoft's ActiveX scripting component allows network attackers to peek at cookies, read files and even run programs on a victim's PC.
In an advisory released Wednesday, Thor Larholm, a security researcher and partner at risk-assessment company PivX Solutions, warned that HTML objects embedded in Web pages and e-mails could carry code that allows an attacker to check out victims' cookie files, read their documents, and execute programs on their computer.
The bug, known as a cross-domain scripting flaw, was discovered on June 25, and information about it has been posted on several security lists since then. Larholm also informed Microsoft of the bug the day it was discovered.
"Since this is possibly very publicly known...I have decided to release this advisory after only two weeks time," Larholm said in the warning.
Microsoft thought Larholm had overstated the seriousness of the flaw. "Thor's advisory doesn't make it clear that there are significant mitigating factors associated with the issue," said a company representative, adding that people who limited their browsing to trusted sites would be safe as would people who had installed one of the software giant's patches for its e-mail clients.
The company chose to lambaste Larholm for disclosing the flaw too quickly. "It's a shame that Thor chose to publicize this issue before the patch could be completed, because by doing so, he's significantly increased the risk to customers," the representative said.
The amount of information disclosed about a flaw, and how fast consultants make the disclosure, has been a point of contention between software makers and the bug finders based at security companies. Recent research suggests, however, that the corporate customers who suffer from software maker's slipups actually want flaws disclosed more quickly.
Hackers and security experts frequently find software flaws in Microsoft's Internet Explorer. In June, Microsoft released a patch for an IE flaw that allowed attackers to run code on a victim's computer by exploiting links to an old pre-Web protocol known as Gopher. The month before that, the company released a patch for IE that fixed six different flaws.
To repair the current problem, Larholm recommended that users disable ActiveX in the security settings for Internet Explorer, or run IE and Outlook in "Restricted" mode, at least until Microsoft releases a patch.
Microsoft said a patch will be available soon.