Microsoft Has Let "Devastating Browser Download Hole" Exist Since November 19
Yesterday, Newsbytes reported that Microsoft will patch a flaw in Internet Explorer that allows malicious code to be silently downloaded and executed. The vulnerability definitely affects IE for Windows 5, 5.5, and 6, and may affect some versions of Outlook, Outlook Express, and Eudora. Microsoft was made aware of this problem three weeks ago.
If the vulnerability is a "devastating browser download hole" as the Newsbytes article says, Microsoft's response was not nearly fast enough. Also, the security by obscurity approach taken by the organization that discovered the problem is preventing people who are at risk from making a proper assessment of potential security threats.