It has been suggested that Microsoft knew about the recent IE security flaw which hit its Internet Explorer browser last week, almost two months before it came to the attention of the experts.
The company released a Fix It tool to alleviate the problem ahead of the permanent “out-of-cycle” IE security update on Friday, and was praised for a fast response. However, the patch notes credit TippingPoint Zero Day Initiative (ZDI) for finding the flaw, and not Eric Romang who made it public on 15 September.
On 15 September, Microsoft acknowledged that an IE security flaw was being actively targeted for attacks using a previously unknown and unpatched vulnerability, after it was identified by Romang, a security researcher from the Metasploit project.
The problem was so severe that the German government’s Federal Office for Information Security advised all users to temporarily switch browsers until a patch was ready.
Microsoft released a short-term solution by 18 September and an emergency security update by 21 September. In its patch notes, Microsoft thanked “an anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)”. However, the patch notes don’t specify when this vulnerability was discovered.
TippingPoint Zero Day Initiative (ZDI) is a bug bounty program operated by Hewlett-Packard, which helps develop Digital Vaccine Intrusion Prevention Systems (IPS).
Eric Romang, the researcher who had found the exploit on a hacker-controlled server, and disclosed it on 15 September, was surprised to see ZDI credited for the discovery.
“So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft,” wrote Romang on his blog.
He also said that “ZDI is a part of the zero-day exploit market, and that the principal objective of this market is to do money by selling 0days to interested persons or organizations.”
In a blog post on Friday, Robert Graham from Errata Security suggested that hackers may be “reverse engineering” HP’s Digital Vaccine IPS, which are created based on information collected by ZDI. This would explain how the vulnerability was discovered by the hackers in the first place.
According to PC Advisor, another clue to an early warning of the IE vulnerability comes from IE10. The latest version of the Microsoft browser was not threatened by the flaw, and according to Andrew Storms from nCircle Security, this could mean that it was already patched using information from ZDI.
Windows users can obtain MS12-063 via the Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services.
Is Microsoft Office your friend? Take our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…