Clues, experts say Microsoft knew of IE zero-day for weeks before patching
Bug-bounty program may have reported the browser flaw to Redmond in July
Computerworld - Microsoft may have known about last week's Internet Explorer (IE) zero-day bug for some time, according to its security advisory.
The vulnerability, which was patched Friday in an emergency, or "out-of-band," update, first became public on Sept. 15 when a researcher found an exploit on a known hacker server. The news prompted Microsoft to create a blocking tool within three days, then a fix for the flaw another three days later.
But the Redmond, Wash. company's security team likely knew of the bug long before that.
In the MS12-063 security bulletin, Microsoft credited Hewlett-Packard TippingPoint's bug bounty program, the Zero Day Initiative (ZDI), for reporting the vulnerability.
"Microsoft thanks ... an anonymous researcher, working with TippingPoint's Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)," the bulletin read, referring to the CVE, or Common Vulnerabilities and Exposures identifier for the IE zero-day.
When ZDI provided Microsoft with information about the bug, however, is unknown. Neither Microsoft or HP TippingPoint responded to questions over the weekend about CVE-2012-4969's reporting timeline. Nor has ZDI published any technical information about the vulnerability, something it does eventually after a vendor patches a bug it's reported.
Security experts also picked out the ZDI attribution, and speculated on what that meant.
"[The early warning] helped Microsoft get the patch out so quickly," said Wolfgang Kandek, CTO of Qualys, in an instant message conversation Friday. Researchers had praised Microsoft for turning out a patch in less than a week. But Kandek doubted Microsoft had much warning, citing the CVE identifier's assignment date.
ZDI's listing of upcoming advisories -- those for bugs it has reported to vendors -- included 10 for Microsoft with "Anonymous" as the researcher.
The most recent match was reported to Microsoft on July 24, 2012, said ZDI, while the oldest was submitted May 25, 2011. Others between those two dates were logged on July 16 and March 14 of this year, and on Nov. 29, 2011.
If the newest was the one reporting CVE-2012-4969, Microsoft knew of the IE zero-day for more than seven weeks before Eric Romang, the researcher who announced finding an exploit on a hacker-controlled server, disclosed his discovery Sept. 15.
Romang also noticed the ZDI attribution in MS12-063.
"So, [to be] clear, this mean[s] that this vulnerability was discovered by another researcher, previous [to] my discovery, reported to ZDI, [which] then reported it to Microsoft," said Romang in a Saturday post to his personal blog.
HP TippingPoint runs its ZDI bug-bounty program to create protection signatures for its HP Digital Vaccine customers, who use them in their IPS (intrusion prevention system) hardware.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Malware and Vulnerabilities White Papers | Webcasts