Microsoft is downplaying the release of purported vulnerabilities in Internet Explorer 6. The flaws were revealed late last week.
"We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the
If a fix is needed, the company will take "appropriate action to protect" customers, either in the monthly patch release or an out-of-cycle patch, Toulouse said.
Late last week, Liu Die Yu, an independent Chinese security researcher, posted the details of several flaws affecting Internet Explorer 6 to security mailing lists. The vulnerabilities can allegedly allow remote attackers to compromise systems.
In an e-mail interview with SearchSecurity.com, Liu said he found the flaws through trial and error. "I just try and try," he said. "I only tested on IE6, but it doesn't mean they only work on IE6."
In Liu's opinion, the most severe flaw is one that could allow attackers to reach the local security zone and download a file and then execute it.
Since there is no patch available, security experts recommend disabling Active Scripting to minimize any risk associated with the flaws.
There are many non-technical issues surrounding the release of the vulnerabilities. Liu didn't give Microsoft a heads-up about them before releasing them because he felt slighted after the company allegedly didn't give him credit for finding a past flaw.
Microsoft was none too pleased with Liu's lack of cooperation. "Microsoft is concerned that these new reports of vulnerabilities in Internet Explorer were not disclosed responsibly, potentially putting computer users at risk," Toulouse said.
Coincidentally, Apple Computer Inc. faced a similar fate this week. A researcher released the details of a vulnerability he'd found in Apple's OS X operating system because he felt the company was dragging its feet on the matter.
FEEDBACK: Should the researcher have disclosed details of the latest flaws in IE to Microsoft before posting them to a security mailing list?
Send your feedback to the SearchSecurity.com news team.