Clues, experts say Microsoft knew of IE zero-day for weeks before patching
Bug-bounty program may have reported the browser flaw to Redmond in July
Computerworld - Microsoft may have known about last week's Internet Explorer (IE) zero-day bug for some time, according to its security advisory.
The vulnerability, which was patched Friday in an emergency, or "out-of-band," update, first became public on Sept. 15 when a researcher found an exploit on a known hacker server. The news prompted Microsoft to create a blocking tool within three days, then a fix for the flaw another three days later.
But the Redmond, Wash. company's security team likely knew of the bug long before that.
In the MS12-063 security bulletin, Microsoft credited Hewlett-Packard TippingPoint's bug bounty program, the Zero Day Initiative (ZDI), for reporting the vulnerability.
"Microsoft thanks ... an anonymous researcher, working with TippingPoint's Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)," the bulletin read, referring to the CVE, or Common Vulnerabilities and Exposures identifier for the IE zero-day.
When ZDI provided Microsoft with information about the bug, however, is unknown. Neither Microsoft or HP TippingPoint responded to questions over the weekend about CVE-2012-4969's reporting timeline. Nor has ZDI published any technical information about the vulnerability, something it does eventually after a vendor patches a bug it's reported.
Security experts also picked out the ZDI attribution, and speculated on what that meant.
"[The early warning] helped Microsoft get the patch out so quickly," said Wolfgang Kandek, CTO of Qualys, in an instant message conversation Friday. Researchers had praised Microsoft for turning out a patch in less than a week. But Kandek doubted Microsoft had much warning, citing the CVE identifier's assignment date.
ZDI's listing of upcoming advisories -- those for bugs it has reported to vendors -- included 10 for Microsoft with "Anonymous" as the researcher.
The most recent match was reported to Microsoft on July 24, 2012, said ZDI, while the oldest was submitted May 25, 2011. Others between those two dates were logged on July 16 and March 14 of this year, and on Nov. 29, 2011.
If the newest was the one reporting CVE-2012-4969, Microsoft knew of the IE zero-day for more than seven weeks before Eric Romang, the researcher who announced finding an exploit on a hacker-controlled server, disclosed his discovery Sept. 15.
Romang also noticed the ZDI attribution in MS12-063.
"So, [to be] clear, this mean[s] that this vulnerability was discovered by another researcher, previous [to] my discovery, reported to ZDI, [which] then reported it to Microsoft," said Romang in a Saturday post to his personal blog.
HP TippingPoint runs its ZDI bug-bounty program to create protection signatures for its HP Digital Vaccine customers, who use them in their IPS (intrusion prevention system) hardware.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts