Microsoft delayed critical IE patch for months

Microsoft reportedly took at least three months to patch a critical IE6 vulnerability, which allowed Chinese-based hackers to load malware onto Google computers, obtain intellectual property and glean information linked to Gmail users.

“[The company] was aware months ago of the vulnerability well before hackers exploited it to breach Google, Adobe and other large US companies but did not patch the hole until [January 21, 2010],” explained Wired’s Kim Zetter.

“Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September.”

According to Zetter, Microsoft admitted that it had been informed about the flaw in September, but insisted that work on the patch had begun almost immediately.

“Our investigation into this responsibly reported vulnerability began early September,” Jerry Bryant, senior security program manager for Microsoft, claimed in a statement obtained by Wired

“As part of this investigation we began working on an update to help protect customers. We became aware of the recent attacks in mid January and as part of our investigation determined the vulnerability being used in these attacks was similar to the one investigated in September.”

Meanwhile, White House spokesman Bill Burton announced that President Barack Obama “continued to be troubled” by the recent cyber security breach at Google China.

“Countries or individuals that engage in cyber attacks should face consequences and international condemnation,” Burton told Reuters. 

”All we’re looking for from China are some answers.”