Microsoft late Monday responded to reports of a critical zero-day vulnerability in Internet Explorer with a security advisory that promised a fix but not a timeline.
Initially, the vulnerability was thought to only crash the browser, but new information, said researchers, point to a greater risk: that an attacker could run malicious code remotely on a compromised PC by luring users to a malicious Web site. The bug was labeled "extremely critical" by one security vendor Monday.
IE 5.01, 5.5, and 6.0 are open to attack, said Microsoft, even when running on up-to-date editions of Windows XP SP2, Windows Server 2003 SP1, and Windows 2000 SP4. The advisory offered up several steps users could take to prevent an attack, including disabling Active scripting and requiring IE to prompt before running Active scripting.
"We are currently investigating the issue to determine the appropriate course of action for customers," said the Redmond, Wash.-based developer in its online advisory. "We will include the fix for this issue in an upcoming security bulletin." The next scheduled patch release date for Microsoft is Dec. 13, but Microsoft has rolled out out-of-cycle fixes on occasion when it deems a fix important.
Microsoft downplayed the threat, and chided the security vendor which released a detailed analysis of the bug as well as the proof-of-concept code.
"Microsoft is not aware of any customer impact at this time," said a company spokesperson.
And even though the vulnerability first surfaced in late May, the spokesperson went on to say that "Microsoft is disappointed that certain security researchers have breached common industry practices and published proof of concept code potentially harming computer users."
U.K.-based Computer Terrorism Ltd. released the proof-of-concept code Monday.
Microsoft typically condemns researchers who release information prior to the company providing a patch. "Microsoft continues to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates," the spokesperson added.
She defended the company's lack of action in May on the low threat the vulnerability originally posed. "[It was reported] as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible."
Alfred Huger, senior director of engineering for Symantec's security response team, took Microsoft's side on this one. "There are so many [security] issues that they have to deal with, they have to do triage," he said, referring to the prioritizing practice. "I don't see this as any kind of malicious inattention."
As is its practice, Microsoft would not commit to a timetable for patching the flaw. "We will issue a fix for this issue once the investigation is complete and the update is found to be well engineered and as thoroughly tested as possible," said the spokesperson.