Users still waiting for browser patch

Microsoft has admitted that it is still unable to release a fix for a serious flaw in Internet Explorer (IE) that allows hackers to clone websites.

Security experts notified the software giant about the vulnerability, exploited in so-called 'phishing' attacks, early last month.

The company was expected to solve the problem in its monthly security bulletin last week, but it failed to appear.

If Microsoft decides not to release the patch until its next security bulletin, users will have to wait until at least 10 February for a solution.

"We know, and have recorded, that there is an issue and a problem, and we are working on a patch that will be issued as soon as possible," Stuart Okin, chief security officer at Microsoft UK, told vnunet.com's sister title Computing.

The IE flaw allows websites to be copied and passed off as the real thing. Fraudsters send emails to consumers claiming to be from a bank or other organisation, with a link to the spoofed site asking for details such as security information and passwords.

Companies hit by phishing attacks in recent months include Visa, CitiBank, Lloyds TSB, Barclays and eBay.

Okin is unclear about the progression of the IE patch, or when it will be released.

"We haven't decided if it will be out of the monthly patch cycle or within the main release. This will be based on consumer feedback," he said.

Security experts believe that the flaw has serious implications that could damage consumer trust in the internet.

"I think this is a major problem," said Dinis Cruz, chief technology officer at security firm CISSP.

"It has the potential to affect the amount of trust consumers have in the internet. Once you break that trust, it is very hard to get it back."