Microsoft responds to criticism over late fix

By on
Microsoft responds to criticism over late fix

Flaw in ActiveX Control first reported in early 2008.

Microsoft has come under fire for leaving a security flaw affecting Internet Explorer unpatched for over a year, but the software giant has responded by saying it had to ensure customers would not be adversely affected by any fix it issued.

Earlier this week, Microsoft issued a Security Advisory note stating it was investigating a reported vulnerability in its Microsoft Video ActiveX Control.

It later emerged that the two researchers who discovered the flaw, Ryan Smith and Alex Wheeler working at IBM Internet Security Systems, submitted an official report to Microsoft as early as last year.

Microsoft said that an attacker who successfully exploited the vulnerability in question could gain the same user rights as the local user if they are using Internet Explorer, and execution may not require any action on the user's behalf, unlike many other exploits that trick the user into running them.

In a blog posting, Mike Reavey, head of Microsoft's Security Response Center (MSRC), said the company is working towards a security update, but that it decided to issue workaround details to customers when it found attackers were beginning to exploit the vulnerability.

"We were far enough in the process that we could provide information that customers can use to protect themselves in the interim while we complete the investigation and deliver a security update that you can deploy broadly with confidence," Reavey said.

Microsoft engineers have decided the best approach to protect customers is to disable the functionality targeted in the attack, as it claims there are was no known uses for these interfaces in Internet Explorer, but this approach must be taken with caution.

"When we disable or remove functionality, we have to engage in even more research and testing than usual, to ensure that we can take this step and not cause more harm than good by inadvertently 'breaking' applications," said Reavey.

While Microsoft continues to work on the issue, customers can follow instructions here to implement a workaround for the flaw.

Copyright ©

Most Read Articles

Log In

|  Forgot your password?