A new security vulnerability in Internet Explorer could leave users with insecure desktops for up to a month as a result of no security patch being available from Microsoft.
The threat left on users’ PCs is created when they visit websites secretly loaded with code. It was first discovered by an independent researcher in China and then passed on to security websites Full-Disclosure, Bugtraq and Secunia.
The code bypasses Internet Explorer security which usually stops files on a website from being run and downloaded onto the user’s PC. Potentially sensitive information from the user’s “My Computer” area can then be accessed remotely using the code.
Microsoft criticised the fact the flaw was made public before it was brought to its attention.
“This possible threat was not disclosed responsibly, and users would have been better served if Microsoft had been approached directly about it,” said a Microsoft spokeswoman.
However, Secunia’s chief technical officer, Thomas Kristensen, stressed that it does follow normal responsible disclosure guidelines when it discovers flaws in software.
“[This] gives suppliers time to confirm the vulnerability and develop a proper patch before alerting the general public,” he said. “Unfortunately many security researchers believe that the public should know first.”
The latest flaw is not addressed with a Microsoft general security patch available since 11 November, and it may not be until January when it can be included in a new batch of Microsoft fixes, in line with the way Microsoft develops monthly patches after thorough investigation into threats.
The Microsoft spokeswoman said, “The company is investigating this possible security threat, but so far hasn’t been made aware of any active exploitation.
“Upon completion of the company’s investigation, a fix to the perceived problem may be included in a monthly patch or a separate patch may be released earlier.”
Kristensen said Microsoft was working on the fixes for its December security patch and claimed it would struggle to get a solution ready before January if it stuck to its usual monthly cycle.
In a separate development, a Trojan bug is doing the rounds which spreads by enticing users with the promise of pornographic pictures. The e-mailed "Sysbug" has the subject line "Re (2) Mary" and contains an attachment. Once the attachment is opened the user’s PC is vulnerable to remote attacks from hackers.