After 7 months, security research organization TippingPoint disclosed a vulnerability in Internet Explorer for which no patch is available because Microsoft needs too much time to develop it. In the worst case, a hacked or malicious website, which is visited with a vulnerable Internet Explorer version, can give attackers full control over the system.Microsoft was informed about the vulnerability on June 3rd this year and the company confirmed the issue the same day.
TippingPoint has a deadline of 120 days before the company releases details about a vulnerability. In those 120 days developers of affected software should have released a patch and when not possible, developers are able to get additional time. In case of this Internet Explorer vulnerability, Microsoft informed the company on November 14th that it wouldn't meet the extended deadline of 180 days.
TippingPoint gives companies a deadline to ensure the leak is fixed as soon as possible, after the deadline the vulnerability is disclosed to give security companies the opportunity to create defenses against attacks exploiting the vulnerability.
Thereafter TippingPoint warned the software giant that it would publish about the vulnerability in December and asked Microsoft what the company advises its consumers while they are waiting for the update. Microsoft advices Internet Explorer users to install the Enhanced Mitigation Experience Toolkit (EMET), to surf with fewer user rights, to block ActiveX Controls and Active Scripting, to set the security zone for Internet to high and to disable Active Scripting or to set it to ask permission before it's allowed to execute.
