A new
security vulnerability in Internet Explorer could leave users with
insecure desktops for up to a month as a result of no security
patch being available from Microsoft.
The threat left on
users’ PCs is created when they visit websites secretly loaded with
code. It was first discovered by an independent researcher in China
and then passed on to security websites Full-Disclosure, Bugtraq
and Secunia.
The code
bypasses Internet Explorer security which usually stops files on a
website from being run and downloaded onto the user’s PC.
Potentially sensitive information from the user’s “My Computer”
area can then be accessed remotely using the code.
Microsoft
criticised the fact the flaw was made public before it was brought
to its attention.
“This possible
threat was not disclosed responsibly, and users would have been
better served if Microsoft had been approached directly about it,”
said a Microsoft spokeswoman.
However, Secunia’s
chief technical officer, Thomas Kristensen, stressed that it does
follow normal responsible disclosure guidelines when it discovers
flaws in software.
“[This] gives
suppliers time to confirm the vulnerability and develop a proper
patch before alerting the general public,” he said. “Unfortunately
many security researchers believe that the public should know
first.”
The latest flaw is
not addressed with a Microsoft general security patch available
since 11 November, and it may not be until January when it can be
included in a new batch of Microsoft fixes, in line with the way
Microsoft develops monthly patches after thorough investigation
into threats.
The Microsoft
spokeswoman said, “The company is investigating this possible
security threat, but so far hasn’t been made aware of any active
exploitation.
“Upon completion
of the company’s investigation, a fix to the perceived problem may
be included in a monthly patch or a separate patch may be released
earlier.”
Kristensen said
Microsoft was working on the fixes for its December security patch
and claimed it would struggle to get a solution ready before
January if it stuck to its usual monthly cycle.
In a separate
development, a Trojan bug is doing the rounds which spreads by
enticing users with the promise of pornographic pictures. The
e-mailed "Sysbug" has the subject line "Re (2) Mary" and contains
an attachment. Once the attachment is opened the user’s PC is
vulnerable to remote attacks from hackers.