Categories: SecurityWorkspace

Microsoft Could Have Known About IE Security Flaw In Advance

It has been suggested that Microsoft knew about the recent IE security flaw which hit its Internet Explorer browser last week, almost two months before it came to the attention of the experts.

The company released a Fix It tool to alleviate the problem ahead of the permanent “out-of-cycle” IE security update on Friday, and was praised for a fast response. However, the patch notes credit TippingPoint Zero Day Initiative (ZDI) for finding the flaw, and not Eric Romang who made it public on 15 September.

Suspicious minds

On 15 September, Microsoft acknowledged that an IE security flaw was being actively targeted for attacks using a previously unknown and unpatched vulnerability, after it was identified by Romang,  a security researcher from the Metasploit project.

The vulnerability was present in Internet Explorer 9 and earlier versions. According to Microsoft, it “could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.” An attacker who successfully exploited this vulnerability “could gain the same user rights as the current user.”

The problem was so severe that the German government’s Federal Office for Information Security advised all users to temporarily switch browsers until a patch was ready.

Microsoft released a short-term solution by 18 September and an emergency security update by 21 September. In its patch notes, Microsoft thanked “an anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)”. However, the patch notes don’t specify when this vulnerability was discovered.

TippingPoint Zero Day Initiative (ZDI) is a bug bounty program operated by Hewlett-Packard, which helps develop Digital Vaccine Intrusion Prevention Systems (IPS).

According to ZDI’s own listings, the organisation submitted its most recent advisory from an “anonymous” researcher to Microsoft on 24 July. If that advisory contained information about the IE Zero-Day, the Redmond company had almost two months to come up with a solution.

Eric Romang, the researcher who had found the exploit on a hacker-controlled server, and disclosed it on 15 September, was surprised to see ZDI credited for the discovery.

“So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft,” wrote Romang on his blog.

He also said that “ZDI is a part of the zero-day exploit market, and that the principal objective of this market is to do money by selling 0days to interested persons or organizations.”

In a blog post on Friday, Robert Graham from Errata Security suggested that hackers may be “reverse engineering” HP’s Digital Vaccine IPS, which are created based on information collected by ZDI. This would explain how the vulnerability was discovered by the hackers in the first place.

According to PC Advisor, another clue to an early warning of the IE vulnerability comes from IE10. The latest version of the Microsoft browser was not threatened by the flaw, and according to Andrew Storms from nCircle Security, this could mean that it was already patched using information from ZDI.

Windows users can obtain MS12-063 via the Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services.

Is Microsoft Office your friend? Take our quiz!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago