MS moves slowly to patch latest IE5.5 hole

Don't think it thinks it's that big a deal

By Lucy Sherriff • Get more from this author

Posted in Music and Media, 11th October 2000 16:42 GMT

Free whitepaper – Optimizing the data center for cost and efficiency

Microsoft says that it is just "days" away from a patch for the latest hole in Internet Explorer 5.5 exposed by Bulgarian security man, George Guninski.

Guninski has a penchant for uncovering flaws in the browser the vast majority of his finds being IE related. This latest find is his 23rd this year.

It exploits a MS software function that can be used to create new Active-X objects, which can then be run - irrespective of whether they have been digitally signed by Microsoft as safe to run, explains Deri Jones, security services manager at NTA Monitor.

Active-X is an applet technology from Microsoft with very little security designed into it. It has some "bolted on" but this, says Jones, is not always a good solution.

The problem with having a browser that will run non-approved applets is that anything can find its way onto a system, causing a certain amount of trouble.

Guninski has a 24 hour notice period policy - that is to say he will give Microsoft a day to respond to the security flaw before he goes public with it. Microsoft says that this is not enough time.

A spokesman for the company said: "Typically these patches take between two and six weeks to design and test thoroughly. It would be irresponsible to release a work around that could cause more problems than it solved."

He also said that often a security hole is so unlikely to be an issue for most users that the company may chose to ignore it. "Sometime the combination of events leading to a flaw is so unusual, we don't bother fixing it," he told us. ®

Free whitepaper – SPECjbb2005 performance and power consumption on Dell, HP, and IBM blade servers