Microsoft is stalling requests for more information on the "extremely critical" security hole in Internet Explorer, discovered on Monday
The problem has escalated thanks to the appearance of exploit code on public security lists, but the software giant claimed late Thursday that it could not comment as it had not yet seen the malicious code.
That explanation is extremely unlikely given the fact that it was posted at 2am GMT on Tuesday on the very well-known security list Full Disclosure by the man publicly credited with finding the flaw - Berend-Jan Wever. It is here in fact.
However, the CTO of Danish security company Secunia, Thomas Kristensen, told Techworld on Friday morning that it is now in discussion with Microsoft over how to sort out the hole. Secunia had earlier posted an advisory on the vulnerability.
Microsoft is clearly concerned about the significant hole since it can allow someone to run their own code on a machine and potentially seize control of your PC. So it is keeping quiet until a patch is produced. It has suggested that it may do an out-of-cycle security update just for the hole.
It is not all bad news however. The flaw, while huge, is non-existent for those Windows XP users that have installed the much-vaunted security service pack 2, released by Microsoft in August. Since SP2 was intended to save the constant stream of embarrassing security holes discovered in Microsoft software, Microsoft will be fully justified in crowing that that is exactly what it has done in this case.
Once it has patched this big hole in its Swiss cheese of a browser.