A security hole has been found in Microsoft's Internet Information Server Web server software, which allows a would-be attacker to access sensitive files.
David Litchfield, founder of the security company Cerberus Information Security, reported the hole, which affects Internet Information Sever 4.0, on Monday 17 January. Yet, more than a week later, the company had still not released a patch.
Litchfield said he was concerned Microsoft had not yet released the patch or informed users of the risk and of ways to protect themselves.
"There is a problem [with IIS] and Microsoft is obviously not happy with the patch [it is developing]," he said. While Litchfield acknowledged that a patch needs to be tested thoroughly before it is released he stressed, "Users need to know there is a problem."
Usually when Microsoft is notified of a security flaw, it works on a software patch to fix the problem permanently and advises users of a work-around to protect their systems immediately.
At the time of writing, Microsoft had not released any information on a quick fix, although one is now available from Cerberus.
Mark Tennent, Windows product manager at Microsoft confirmed the security hole adding, "We take security holes very seriously." When Computer Weekly spoke to Tennent, he admitted the Microsoft patch was not ready.