Microsoft Promises To Patch IE Zero-Day Bug

In the meantime, the company's advisory offers up several steps users could take to prevent an attack, including disabling active scripting and requiring IE to prompt before running active scripting.
U.K.-based Computer Terrorism Ltd. released the proof-of-concept code Monday.

Microsoft typically condemns researchers who release information prior to the company providing a patch. "Microsoft continues to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates," the spokesperson added.

She defended the company's lack of action in May on the low threat the vulnerability originally posed. "[It was reported] as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible."

Alfred Huger, senior director of engineering for Symantec's security response team, took Microsoft's side on this one. "There are so many [security] issues that they have to deal with, they have to do triage," he said, referring to the prioritizing practice. "I don't see this as any kind of malicious inattention."

As is its practice, Microsoft would not commit to a timetable for patching the flaw. "We will issue a fix for this issue once the investigation is complete and the update is found to be well engineered and as thoroughly tested as possible," said the spokesperson.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing