Microsoft drags feet on fixing IE9 bug that disrupts anti-keylogging technology

Waller told Infosecurity that IE9 has a bug that is causing his company’s GuardedID keystroke encryption software from working properly, which has led to a flood of consumer complaints to the company. Microsoft was made aware of and acknowledged the bug in April, he said.

The software, which the company patented, encrypts computer keystrokes to prevent cybercriminals from using keyloggers to steal confidential information. Keyloggers were used in such high-profiles breaches as RSA, Epsilon, Lockheed Martin, Michaels Stores, and the Oak Ridge National Laboratory, as well as in the Coreflood botnet taken down by the FBI this year, Waller noted.

In addition to encrypting the keystrokes, the product also decrypts the characters when the user wants to enter information in a web application, such as logging into an online banking session. Without this decrypting ability, the user cannot enter characters into web applications. And that is where the IE9 bug comes in.

“One of the components of the anti-keylogging software is a toolbar that sits in the IE browser and decrypts the data into the web application. When IE9 beta came out everything worked just fine; when they released their production version our product didn’t work any longer. We debugged the issue and found out that Microsoft had changed their browser code and actually introduced a bug into their production version. We contacted [Microsoft] immediately and they acknowledged the problem…and they said they would get it fixed”, Waller explained in an email. That was six months, and hundreds of complaint calls, ago.

In an April 11 email to Waller, Veena Karanam, an escalation engineer with Microsoft, said that the IE product team “has already reviewed this issue and they have confirmed that this was an unintentional regression….while they acknowledge it, they have to follow the regular process guidelines and prioritize it appropriately among the other requests on their plate.”

This was followed by emails in June, July, and August from different Microsoft personnel promising to fix the problem, but declining to provide a timeline for the fix.

Waller said that in telephone conversations with Microsoft, the company promised in April to get the problem fixed in a month. The month turned into 45 days. Waller said he was passed around to various departments within the company without a resolution of the problem.

“I said, ‘Guys, this is a major issue. I’ve got millions of copies out there. I closed major deals with major corporations that are delivering the product out to consumers. And I’m getting hundreds of calls a day because it is not working. You’ve got to fix this’. They said, ‘We are going to get it on the release schedule. We’ll have it in the next 30 days’. And this has been going on since April”, related Waller.

Waller said he last called Microsoft this week and still got the runaround. “They said…’We will get around to it if and when we deem it’s important’. Meanwhile, I have several million people using our software….And if you put IE9 on your system, the web version of our software is useless. They just don’t care.”

Microsoft declined to comment on Waller’s charges for this story.

What’s hot on Infosecurity Magazine?