Microsoft has acknowledged that it knew about an Internet Explorer security hole--and failed to issue a fix--a full week before it accused a security company of placing IE users at risk by publicly disclosing details of the flaw.

A Microsoft representative retracted an earlier claim that the company first heard of the flaw on November 8--the date of security company Online Solutions' public disclosure--and said Microsoft was actually notified by Online a week earlier, on November 1.

Two weeks were needed to investigate the alert properly, said Neil Laver, Windows product marketing manager for Microsoft, and no security breaches occurred during the delay.

"We are obviously not going to respond instantly. We have to sieve the wheat from the chaff to determine how reliable the vulnerability warning is," said Laver. "Until we can investigate the issue, we are not going to issue a bulletin, as that would create a crying-wolf situation."

The high-risk vulnerability in versions 5.5 and 6.0 of Internet Explorer allows malicious code to gain unauthorized access to a PC user's cookies and expose the sensitive information that they contain. Cookies are text files saved on a computer's hard drive to identify the user to Web sites. Because most e-commerce Web sites use cookies to store information about users, it is possible that personal information could be exposed through the software hole.

Online Solutions discovered the hole November 1 and informed Microsoft's Security Response Centre of the technical details of its discovery the same day. Microsoft responded to Online, acknowledging the alert and promising to investigate the issue as quickly as possible.

But a lack of feedback on the investigation prompted Online Solutions to place increasing pressure on Microsoft to issue a bulletin about the hole. After one week of waiting, the security company went public with a press release about the flaw on November 9--Microsoft published an alert on its Web site later that day.

"We decided to make the issue public," said Jyrki Salmi, managing director of Online Solutions. "We did the responsible thing. People who are using software that their business relies on to hold personal information should be aware in reasonable time that the program is not secure.

"Microsoft argued that by releasing details of the bug, it would give people time to take advantage of the vulnerability," Salmi added, "but so far we haven't heard of any security breaches."

Acknowledging that Online Solutions acted responsibly, Microsoft apologised for what it called its "inaccurate" earlier statements.

"We receive vast numbers of alerts on a daily basis," said Laver. "We are not going to respond instantly. We have to test multiple configurations and find an appropriate work-around that doesn't break Web-based applications."

The work-around, issued November 9, advises customers to disable Active Scripting, a move that protects them from Web-hosted and mail-borne variants of the vulnerability. A patch was issued November 14.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.