Microsoft knew of just-patched IE zero-day for months

Flaw fixed this week reported by bug bounty program in June

Microsoft may not have hustled as fast as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed "K4mr4n" posted attack code to the Bugtraq security mailing list on Nov. 20.

iDefense's Vulnerability Contributor Program reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published Wednesday.

IE6 and IE7, two versions of Microsoft's browser that collectively accounted for approximately 39% of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat.

Three days after K4mr4n publicized the exploit proof-of-concept, Microsoft confirmed that the attack code worked, and issued a security advisory that provided some information about the bug. At no time, however, did it acknowledge it knew of the vulnerability, only going as far as to say it was investigating the issue.

Last week, experts agreed that it was unlikely Microsoft would be able make the Dec. 8 deadline for the company's monthly Patch Tuesday. In fact, when Microsoft did patch the problem Tuesday, Andrew Storms, director of security operations at nCircle Network Security, applauded Microsoft's hustle. "That was record time for Microsoft, to patch in just two weeks," he said.

Storms and others based their bets on Microsoft's past track record. Historically, Microsoft has taken a month or more to deliver a patch for a publicly-disclosed IE vulnerability. On the rare times when Microsoft has issued an "out-of-band" update -- one outside its normal monthly schedule -- it's done so because in-the-wild attacks were gaining momentum. Although K4mr4n's exploit was in circulation, security firms like Symantec had confirmed Microsoft's contention that actual attacks had not yet appeared.

There were signs that Microsoft had known of the flaw for longer than two weeks, however. It credited iDefense with reporting the bug in the MS09-072 security bulletin that included the IE6 and IE7 patch, a fact Storms noticed.

On Wednesday, Storms pointed out the iDefense reporting date to Computerworld. "The IE zero-day that was fixed -- Microsoft had six months," he said in an e-mail.

Both Microsoft and iDefense recommended disabling JavaScript in IE if users were unable to apply the patch immediately. The MS09-072 update, which fixed five flaws in IE, including the zero-day, was one of six updates released Tuesday that patched a dozen vulnerabilities altogether.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon