Skip the navigation
News

Microsoft patches IE, admits it knew of bug last August

Fixes flaw used to attack Google, others; Israeli researchers sounded warning on Aug. 26, 2009

By Gregg Keizer
January 21, 2010 02:52 PM ET

Computerworld - As Microsoft patched the Internet Explorer (IE) vulnerability that was used to break into Google's network, it also acknowledged that it had known of the bug since August 2009, when an Israeli security company reported the flaw.

"As part of [our] investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September," said Jerry Bryant, a senior program manager with the Microsoft Security Response Center, on the MSRC blog today.

The MS10-002 bulletin that accompanied the IE update credited BugSec Security with reporting the bug that has raised a ruckus since Google accused Chinese cybercriminals with hacking its network.

Eyal Gruner, one of BugSec's chief technical experts, reported the vulnerability to Microsoft on Aug. 26, not in September as Microsoft indicated. And he was critical of Microsoft for taking this long to release a patch. "I think yes, it took too long," he said. "But Microsoft is a big organization and we don't know how much time it takes them. We asked them why it was taking such a long time, and they said it was because of the testing they had to do."

BugSec, based in Rishon LeZion, Israel, specializes in security solutions for major financial organizations in the country.

Andrew Storms, director of security operations at nCircle Network Security, said the fact that Microsoft knew of the vulnerability months before it crafted a patch -- months before Chinese criminals used the flaw -- shouldn't come as a shock.

"It's pretty par for the course, really," said Storms. "We know that patches sit for a good month or so in QA [quality assurance] at Microsoft. So if it was reported to Microsoft in September, it might not have been added to the [patch] cycle until October, and the code not written until November. A February release isn't crazy then."

Storms refused to use hindsight to say that Microsoft was tardy to the party. "Unless you have real evidence that it's being used, you can't take that into account when you prioritize patches," he argued. "You take into account the skill level necessary to exploit it. But if it's responsibly disclosed, you have to assume that it's not going to release [publicly]. And without partners saying that they're seeing signs of it being exploited, Microsoft probably thought they could just roll it into their normal IE release cycle."

Microsoft last patched IE in December 2009, and on average, updated its browser every two months.

It didn't surprise Gruner that others found the vulnerability, then decided to use it maliciously. "We found this vulnerability very easily," said Gruner, "and we didn't think it would be hard for others to find." BugSec spent about two weeks researching IE before it discovered the flaw, Gruner added.



Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Security White Papers
Identity Governance: The Business Imperatives
This white paper describes the business challenges and opportunities that are driving interest in Identity Governance while discussing considerations your organization should make...
CA Technology Brief: CA Point of View: Content Aware Identity & Access Management
This paper explores the concept of content-aware IAM, describes the integrated architecture for this new approach, and highlights the benefits that this approach...
Google: Security for Google Apps Messaging & Collaboration
Content provided by Google

Find out about how Google creates a security-based platform for Google Apps, covering topics like information security, physical security, and...
An Interactive Guide: Bring Your Own Device
BYOD presents significant security and management challenges to IT departments who want to take advantage of the trend, but still protect corporate assets....
Fundamental Principles of Network Security
This paper covers the fundamentals of secure networking systems, including firewalls, network topology and secure protocols. Best practices are also given that introduce...
All Security White Papers
Security Webcasts
Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Introduction to VMware vCenter Site Recovery Manager 5
Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to...
The Top Ten Secrets to Avoiding SAN Performance Problems
Maintaining peak performance while simultaneously addressing the root cause of SAN errors is challenging. Learn the most common SAN problems and explore new...
Deduplication Without Compromise
Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
Director of Disk Products Discusses DXi6700
Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
All Security Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs