An HP bug bounty program yesterday published information about a critical vulnerability in Internet Explorer 8 (IE8) because Microsoft did not meet its patch-or-we-go-public deadline.
HP TippingPoint's Zero Day Initiative (ZDI) revealed some details about the vulnerability Wednesday in an online advisory after its 180-day grace period had expired without Microsoft providing a patch to customers.
The bug, which was reported to ZDI by Belgium security researcher Peter Van Eeckhoutte, was handed to Microsoft on Oct. 11, 2013. At the time, ZDI had a 180-day patch policy: If the vendor did not patch the vulnerability in that time, or failed to explain why it could not, ZDI would go public with the flaw.
Since then ZDI has shortened the window to 120 days for all submissions after March 1, 2014.
The flaw has not been seen exploited in the wild, according to Microsoft, which confirmed the vulnerability.
"We are aware of a publicly disclosed issue involving Internet Explorer 8 and have not detected incidents affecting our customers," said a company spokeswoman in an email today.
Van Eeckhoutte echoed some of that in a blog post of his own today. "What was published [by ZDI] is an advisory not an exploit [emphasis in original]," he said, adding that "IE8 is affected and arbitrary code execution is definitely possible."
The latter means that if hackers could pinpoint the vulnerability given the sketchy details disclosed by ZDI, write a workable exploit and then dupe IE8 users into visiting a malicious or compromises website, the cyber criminals could hijack the PC and plant malware on it, pilfer its secrets and use it as a bot for further mischief.
ZDI has more than 100 unpatched vulnerabilities in its queue of reported-but-not-patched bugs, including 25 whose 180-day deadline has come and gone. So why announce the IE8 vulnerability?
ZDI's manager, Brian Gorenc, did not directly answer that question today. "In certain cases, ZDI may decide to delay posting details on a vulnerability if it's in the best interest of the public and the vendor is actively working to push out a patch near the end of the disclosure timeline," Gorenc said in an email.
He also denied that ZDI was in some way picking on Microsoft. "We treat all vendors equally when it comes to granting extensions and releasing zero-day advisories," Gorenc wrote.
But by revealing that IE8 has an unpatched vulnerability, one seven months old to boot, ZDI at the least caused Microsoft some embarrassment.
That's warranted, ZDI believes, or it would not have its 180-day -- and now a 120-day -- deadline for patching. The whole idea of a deadline is to pressure vendors into patching as quickly as possible.
Which is not only a good thing, said Van Eeckhoutte, but the way things should work. "I am worried, too, about a 180-day delay to get a bug fixed," he said. "But I would be really worried if the bug was actively being exploited and left unpatched for another 180 days."