Microsoft has confirmed today that they were aware of a bug behind an epidemic of Internet Explorer attacks for more than a year, but continue to defend their security process against critics. Mike Reavey, director of Microsoft’s Security Response Center, admitted that the company received word of a critical flaw in ActiveX control during the spring of 2008. This specific bug can be exploited in IE6 and IE7 on Windows XP.
Researchers Ryan Smith and Alex Wheeler reported the bug’s prescence to Microsoft executives when they worked at IBM’s ISS X-Force in 2007. While Smith and Wheeler won’t specify exactly when they reported the vulnerability, the bug’s Common Vulnerabilities and Exposures (CVE) number points to an early 2008 detection timeframe. John Pescatore, a primary security analyst for Microsoft insists that the almost 18-month stretch between the bugbaing found and now is too long for customers to operate their systems without a patch. “That’s just not an acceptable timeframe,” Pescatore said. “It shouldn’t take a year, not [for] a company the size of Microsoft.
It was also revealed today that Microsof has still not completed work ona complete fix for the bug. Courtesy of computerworld.com