Clues, experts say Microsoft knew of IE zero-day for weeks before patching

Bug-bounty program may have reported the browser flaw to Redmond in July

Microsoft may have known about last week's Internet Explorer (IE) zero-day bug for some time, according to its security advisory.

The vulnerability, which was patched Friday in an emergency, or "out-of-band," update, first became public on Sept. 15 when a researcher found an exploit on a known hacker server. The news prompted Microsoft to create a blocking tool within three days, then a fix for the flaw another three days later.

But the Redmond, Wash. company's security team likely knew of the bug long before that.

In the MS12-063 security bulletin, Microsoft credited Hewlett-Packard TippingPoint's bug bounty program, the Zero Day Initiative (ZDI), for reporting the vulnerability.

"Microsoft thanks ... an anonymous researcher, working with TippingPoint's Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)," the bulletin read, referring to the CVE, or Common Vulnerabilities and Exposures identifier for the IE zero-day.

When ZDI provided Microsoft with information about the bug, however, is unknown. Neither Microsoft or HP TippingPoint responded to questions over the weekend about CVE-2012-4969's reporting timeline. Nor has ZDI published any technical information about the vulnerability, something it does eventually after a vendor patches a bug it's reported.

Security experts also picked out the ZDI attribution, and speculated on what that meant.

"[The early warning] helped Microsoft get the patch out so quickly," said Wolfgang Kandek, CTO of Qualys, in an instant message conversation Friday. Researchers had praised Microsoft for turning out a patch in less than a week. But Kandek doubted Microsoft had much warning, citing the CVE identifier's assignment date.

ZDI's listing of upcoming advisories -- those for bugs it has reported to vendors -- included 10 for Microsoft with "Anonymous" as the researcher.

The most recent match was reported to Microsoft on July 24, 2012, said ZDI, while the oldest was submitted May 25, 2011. Others between those two dates were logged on July 16 and March 14 of this year, and on Nov. 29, 2011.

If the newest was the one reporting CVE-2012-4969, Microsoft knew of the IE zero-day for more than seven weeks before Eric Romang, the researcher who announced finding an exploit on a hacker-controlled server, disclosed his discovery Sept. 15.

Romang also noticed the ZDI attribution in MS12-063.

"So, [to be] clear, this mean[s] that this vulnerability was discovered by another researcher, previous [to] my discovery, reported to ZDI, [which] then reported it to Microsoft," said Romang in a Saturday post to his personal blog.

HP TippingPoint runs its ZDI bug-bounty program to create protection signatures for its HP Digital Vaccine customers, who use them in their IPS (intrusion prevention system) hardware.

1 2 Page
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies