News Stay informed about the latest enterprise technology news and product updates.

Microsoft concerned about IE disclosure

Microsoft said it is investigating public reports of new flaws in Internet Explorer, and expressed concern the details were disclosed to the public. The Chinese researcher who found the flaws said he did not report them first to Microsoft because he felt cheated that Redmond did not credit him for finding a previous flaw.

Microsoft is downplaying the release of purported vulnerabilities in Internet Explorer 6. The flaws were revealed...

late last week.

"We have not been made aware of any active exploits of the reported vulnerabilities or customer impact at this time, but we are aggressively investigating the public reports," said Stephen Toulouse, security program manager for Microsoft Security Response Center, in a statement.

If a fix is needed, the company will take "appropriate action to protect" customers, either in the monthly patch release or an out-of-cycle patch, Toulouse said.

Late last week, Liu Die Yu, an independent Chinese security researcher, posted the details of several flaws affecting Internet Explorer 6 to security mailing lists. The vulnerabilities can allegedly allow remote attackers to compromise systems.

In an e-mail interview with, Liu said he found the flaws through trial and error. "I just try and try," he said. "I only tested on IE6, but it doesn't mean they only work on IE6."

In Liu's opinion, the most severe flaw is one that could allow attackers to reach the local security zone and download a file and then execute it.

Since there is no patch available, security experts recommend disabling Active Scripting to minimize any risk associated with the flaws.

There are many non-technical issues surrounding the release of the vulnerabilities. Liu didn't give Microsoft a heads-up about them before releasing them because he felt slighted after the company allegedly didn't give him credit for finding a past flaw.

Microsoft was none too pleased with Liu's lack of cooperation. "Microsoft is concerned that these new reports of vulnerabilities in Internet Explorer were not disclosed responsibly, potentially putting computer users at risk," Toulouse said.

Coincidentally, Apple Computer Inc. faced a similar fate this week. A researcher released the details of a vulnerability he'd found in Apple's OS X operating system because he felt the company was dragging its feet on the matter.

FEEDBACK: Should the researcher have disclosed details of the latest flaws in IE to Microsoft before posting them to a security mailing list?
Send your feedback to the news team.

Dig Deeper on Web browser security

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.