said Monday that it was developing a software patch "as quickly as possible" after a 21-year-old former employee publicized a potential security flaw in the company's popular Web browser.
In a conference call with privacy advocates and reporters, Bennett Haselton, the former employee and an opponent of Internet censorship who lives in Seattle, said he could use the flaw to read the in boxes of
accounts and order products on
without the account holders' permission or knowledge.
All known versions of Microsoft's Internet Explorer are vulnerable, according to Haselton's Web site,
The flaw involves cookies, which electronic commerce sites routinely deposit on the computers of Web users in order to keep track of their purchases and for other monitoring purposes. Using a specially constructed uniform resource locator, or URL, a Web site can read the cookies from any domain.
A spokeswoman for Microsoft said that the flaw could be exploited only if a user is coerced or enticed to visit a Web site operated by someone who intends to exploit the flaw. The company is developing a software patch that will be available shortly, said the spokeswoman, who works for the company's outside public relations firm and asked that she not be identified because of Microsoft's press policies.
Jason Catlett, a privacy advocate who operates the Web site
, said the flaw would not allow hackers to gain access to passwords but that it still raised concerns because victims could be impersonated or have the privacy of their email violated.
Haselton, whose discovery was detailed in an article in
The Wall Street Journal
on Monday, said in a telephone interview that he was looking for flaws in Microsoft software in hopes that he could expose them to gain publicity for his anti-censorship Web site.
Haselton said he took a pad of paper along on his Easter break to visit family members a few weeks ago. The purpose of the pad, he said, was to write down potential hacks to try when he returned home to Seattle.
"I did this for the publicity," Haselton said. "I hope the people on my old working group saw it in
The Wall Street Journal
Haselton said he worked at Microsoft from May 1999 until January and had hoped to become a software engineer tasked to ferret out bugs for the company. He said that he was not allowed to take training courses and was instead dismissed from the company.
"They said I was too dumb for it," Haselton said.
The spokeswoman for Microsoft confirmed that Haselton had worked for the company.
As originally published, this story contained an error. Please see
Corrections and Clarifications.