By Gregg Keizer
Sept. 16, 2005
Microsoft's Internet Explorer browser sports a flaw that hackers could
use to launch a remote attack on Windows XP SP2, eEye Digital Security
"The flaw is remotely exploitable," said Mike Puterbaugh, eEye's
director of product management.
Although eEye has notified Microsoft of the bug -- and Microsoft has
confirmed receipt of the report -- no patch is available. According to
eEye, that's not unusual: on average, Microsoft has taken 132 days to
patch holes that the Aliso Viejo, Calif.-based security vendor has
reported since February 2004.
eEye takes the unique step of logging its reports to Microsoft, then
showing the number of days since the vulnerability was confirmed by
the Redmond company. After 60 days, it considers a patch "overdue."
Internet Explorer, says eEye, has at least five other critical, but
unpatched, vulnerabilities, including ones reported 15, 46, 129, 134,
and 171 days ago.
Microsoft has been patching IE regularly, but is having trouble
keeping up with the browser's vulnerabilities. In August, it fixed
three bugs in the browser, and since the first of the year, has
patched IE five out of nine months.
Sept 16-18th, 2005
San Diego, California