Feeds

MS moves slowly to patch latest IE5.5 hole

Don't think it thinks it's that big a deal

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Microsoft says that it is just "days" away from a patch for the latest hole in Internet Explorer 5.5 exposed by Bulgarian security man, George Guninski.

Guninski has a penchant for uncovering flaws in the browser the vast majority of his finds being IE related. This latest find is his 23rd this year.

It exploits a MS software function that can be used to create new Active-X objects, which can then be run - irrespective of whether they have been digitally signed by Microsoft as safe to run, explains Deri Jones, security services manager at NTA Monitor.

Active-X is an applet technology from Microsoft with very little security designed into it. It has some "bolted on" but this, says Jones, is not always a good solution.

The problem with having a browser that will run non-approved applets is that anything can find its way onto a system, causing a certain amount of trouble.

Guninski has a 24 hour notice period policy - that is to say he will give Microsoft a day to respond to the security flaw before he goes public with it. Microsoft says that this is not enough time.

A spokesman for the company said: "Typically these patches take between two and six weeks to design and test thoroughly. It would be irresponsible to release a work around that could cause more problems than it solved."

He also said that often a security hole is so unlikely to be an issue for most users that the company may chose to ignore it. "Sometime the combination of events leading to a flaw is so unusual, we don't bother fixing it," he told us. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
What a Mesa: Apple vows to re-use titsup GT sapphire glass plant
Commits to American manufacturing ... of secret tech
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.