We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Microsoft knew of dangerous IE zero-day for months

Flaw fixed this week first reported in June

Microsoft may not have worked as quickly as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed 'K4mr4n' posted attack code to the Bugtraq security mailing list on November 20.

iDefense's Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published on Wednesday.

IE6 and IE7, two versions of Microsoft's browser that collectively accounted for approximately 39% of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat.

Three days after K4mr4n publicised the exploit proof-of-concept, Microsoft confirmed that the attack code worked, and issued a security advisory that provided some information about the bug. At no time, however, did it acknowledge it knew of the vulnerability, only going as far as to say it was investigating the issue.

Last week, experts agreed that it was unlikely Microsoft would be able make the December 8 deadline for the company's monthly Patch Tuesday. In fact, when Microsoft did patch the problem on Tuesday, Andrew Storms, director of security operations at nCircle Network Security, applauded Microsoft's speed. "That was record time for Microsoft, to patch in just two weeks," he said.

Storms and others based their bets on Microsoft's past track record. Historically, Microsoft has taken a month or more to deliver a patch for a publicly-disclosed IE vulnerability. On the rare times when Microsoft has issued an 'out-of-band' update - one outside its normal monthly schedule - it's done so because in-the-wild attacks were gaining momentum. Although K4mr4n's exploit was in circulation, security firms like Symantec had confirmed Microsoft's contention that actual attacks had not yet appeared.

There were signs that Microsoft had known of the flaw for longer than two weeks, however. It credited iDefense with reporting the bug in the MS09-072 security bulletin that included the IE6 and IE7 patch, a fact Storms noticed.

On Wednesday, Storms pointed out the iDefense reporting date to Computerworld US. "The IE zero-day that was fixed - Microsoft had six months," he said.

Both Microsoft and iDefense recommended disabling JavaScript in IE if users were unable to apply the patch immediately. The MS09-072 update, which fixed five flaws in IE, including the zero-day, was one of six updates released on Tuesday that patched a dozen vulnerabilities altogether.

See also:

PC security advice

Computerworld US


IDG UK Sites

Samsung Galaxy S6 release date, features and specs rumours: When will the Galaxy S6 come out?

IDG UK Sites

Why people aren't upgrading to iOS 8: new features are for power users, not the average Joe

IDG UK Sites

Free rocket & space sounds: NASA launches archive of interstellar audio on SoundCloud

IDG UK Sites

iPad Air 2 review: Insanely fast and alarmingly thin. Speed tests, camera tests, beautiful...