MS slammed on security fix lateness


MS slammed on security fix lateness

Cliff Saran

Cliff Saran

A security hole has been found in Microsoft's Internet Information Server Web server software, which allows a would-be attacker to access sensitive files.

David Litchfield, founder of the security company Cerberus Information Security, reported the hole, which affects Internet Information Sever 4.0, on Monday 17 January. Yet, more than a week later, the company had still not released a patch.

Litchfield said he was concerned Microsoft had not yet released the patch or informed users of the risk and of ways to protect themselves.

"There is a problem [with IIS] and Microsoft is obviously not happy with the patch [it is developing]," he said. While Litchfield acknowledged that a patch needs to be tested thoroughly before it is released he stressed, "Users need to know there is a problem."

Usually when Microsoft is notified of a security flaw, it works on a software patch to fix the problem permanently and advises users of a work-around to protect their systems immediately.

At the time of writing, Microsoft had not released any information on a quick fix, although one is now available from Cerberus.

Mark Tennent, Windows product manager at Microsoft confirmed the security hole adding, "We take security holes very seriously." When Computer Weekly spoke to Tennent, he admitted the Microsoft patch was not ready.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy