Researchers at an HP security division have publicly detailed four code-execution vulnerabilities that can be used to hijack end-user machines running the latest versions of Microsoft's Internet Explorer browser.
The disclosures earlier this week came more than six months after researchers from HP-owned TippingPoint first privately reported the bugs to Microsoft security engineers. According to the advisories published here, here, here, and here, Microsoft officials acknowledged the bugs and in each case asked for an extension beyond the four months TippingPoint officials normally wait before publicly disclosing vulnerabilities. All four of the extensions expired Sunday, leading to the public disclosure of the bugs.
It remains unclear why Microsoft hasn't issued fixes. TippingPoint alerted Microsoft to three of the vulnerabilities in January and one of them last November. A Microsoft spokesman told Ars he was looking in to the matter.