MS moves slowly to patch latest IE5.5 hole
Don't think it thinks it's that big a deal
Microsoft says that it is just "days" away from a patch for the latest hole in Internet Explorer 5.5 exposed by Bulgarian security man, George Guninski.
Guninski has a penchant for uncovering flaws in the browser the vast majority of his finds being IE related. This latest find is his 23rd this year.
It exploits a MS software function that can be used to create new Active-X objects, which can then be run - irrespective of whether they have been digitally signed by Microsoft as safe to run, explains Deri Jones, security services manager at NTA Monitor.
Active-X is an applet technology from Microsoft with very little security designed into it. It has some "bolted on" but this, says Jones, is not always a good solution.
The problem with having a browser that will run non-approved applets is that anything can find its way onto a system, causing a certain amount of trouble.
Guninski has a 24 hour notice period policy - that is to say he will give Microsoft a day to respond to the security flaw before he goes public with it. Microsoft says that this is not enough time.
A spokesman for the company said: "Typically these patches take between two and six weeks to design and test thoroughly. It would be irresponsible to release a work around that could cause more problems than it solved."
He also said that often a security hole is so unlikely to be an issue for most users that the company may chose to ignore it. "Sometime the combination of events leading to a flaw is so unusual, we don't bother fixing it," he told us. ®