Did Microsoft Know About the IE Zero-Day Flaw In Advance?

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

Re:Of course Microsoft knew

[Antony+T+Curtis]

And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

I'm pretty sure that Google discretely notifies Microsoft of flaws that it is aware of.

Knowing

Microsoft has a policy of "responsible disclosure" such that they credit the flaw to the first person who participates in that process. If that person reveals it before Microsoft, then the "responsible disclosure" did not take place and the next person is given credit. It is of no surprise that the one who made it public did not get credit from Microsoft.

Re:Of course Microsoft knew

[man_of_mr_e]

Prove what, specifically? If you're going to be a dick, you should be specific about it. But here's a recent example.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3965

The CVE was created on July 11th, 2012. However, the existence of the flaw were not announced until August 29th, 2012.

There are many many more, and I will leave it as an exercise for anyone that wants more proof. Just look at the date the CVE was created (the assigned date) and look at the date of the announcement.