Browser Flaw Creates Major Communications Challenge for Microsoft


It’s a delicate balance for PR pros and communicators: What is your obligation to consumers when your online products and services have been compromised in some way?

Microsoft Corp. is now grappling with the issue following an advisory from the U.S. Department of Homeland Security that Americans not use the Internet Explorer Web browser until a fix is found for a security flaw that came to light this past weekend.

The bug was announced on Saturday by FireEye Research Labs, an Internet security software company based in Milpitas, Calif.

"We are currently unaware of a practical solution to this problem," the Department of Homeland Security's U.S. Computer Emergency Readiness Team said in a post Monday morning.

It recommended that users and administrators "consider employing an alternative Web browser until an official update is available."

The security flaw allows hackers to get around security protections in the Windows operating system. They then can be infected when visiting a compromised website.

Microsoft on Saturday posted a security advisory, saying that it is aware of  “limited, targeted attacks that attempt to exploit a vulnerability” in Internet Explorer versions 6 through 11.

(About 55% of PC computers run one of those versions of Internet Explorer, according to the technology research company NetMarketShare.)

“We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers," the statement added.

According to USA Today, Microsoft typically releases security patches on the second Tuesday of each month, what's known as “Patch Tuesday.” The next one is Tuesday, May 14.

However, this latest Explorer episode begs the question: Should Microsoft issue another security advisory sooner than May 14?

In light of the ubiquity of Internet Explorer, it stands to reason that Microsoft keep consumers (and technology reporters) informed about developments related to the security flaw, when it is remedied and what Microsoft is doing to prevent the problem from happening again.

From a PR standpoint, anything less may open up Microsoft to some uncomfortable questions about whether it’s leaving consumers’ Internet Explorer Web browsers vulnerable to hackers.

Considering the problem is rooted in Web technology, Microsoft (or any technology brand for that matter) has to be careful that the communications not get bogged down in Internet-security jargon that will make your eyes glaze over.

A case like this requires PR pros to use language that is easily understood and is targeted to consumers (rather than computer security experts). Anything less could, however circuitously, damage Microsoft’s reputation.

Follow Matthew Schwartz on Twitter: @mpsjourno1