Desktop platforms Toolkit

Why did Microsoft take so long?

Published: 13 Feb 2004 15:00 GMT

Some researchers believe that Microsoft may have been sidetracked with other vulnerabilities, such as the patch for an Internet Explorer flaw that allowed scam artists to dress up fraudulent Web sites to look real by adorning them with the actual address of a real company. Microsoft was the target of a lot of criticism for not immediately fixing the so-called "phishing" flaw.

Such criticism may focus the company on flaws that should have a lower priority, said Thor Larholm, senior security researcher for security software maker PivX Solutions.

"Microsoft still does treat some of the security vulnerabilities as public relations issues," Larholm said. "They will put a priority on fixing flaws that their customers are complaining about."

The phishing flaw was patched in about 60 days, and the fix was released a week early.

For eEye, the difference in results is marked and has resulted in the company using new ways to get Microsoft to focus on its flaws. The company has turned up the heat on the creator of Windows by posting a list of vulnerabilities that eEye has submitted to Microsoft but that remain unfixed.

According to the list, two other serious flaws have yet to be patched, and it's been five months since the software giant was first notified of them.

For now, eEye's Maiffret is content to wait for the results of the new tactic. "It is just one sort of action to take," he said. "We have more things planned if they don't keep up."