Did Microsoft Know About the IE Zero-Day Flaw In Advance?

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

Of course Microsoft knew

[s0446]

I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way.

And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

Re:Of course Microsoft knew

Security by obscurity is considered bad practice. You know, what would you think if AIRCRAFT/CAR/SHIPMANUFACTURER would wait 2 months before recalling defective parts (especially dicy stuff like brakes or stuff that's critical to the structure of the thing)... I don't think you would be pleased to know that you were riding around in a death trap.

Re:Of course Microsoft knew

[CTachyon]

And why is that? Google would love to see Microsoft die.

You don't bring nukes to a knife fight. Sure, you win the knife fight, but now everyone else knows to nuke you first and ask questions later.

Re:Of course Microsoft knew

Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit

If you have knowledge of a critical exploit, and you can't fix it in months, then your software is not suitable for use in a production environment.

It is crucial to let system admins know as soon as you find an exploit, so they can defend themselves. You can't assume that blackhats will not find out, because they will, and you are putting your users at risk with such negligent behavior.

Your post mainly shows that you don't know what you're talking about.

Re:Of course Microsoft knew

[buglista]

This is utter bollocks. I used to run a large network and if you know there is a critical patch coming, you can plan for it. If you don't, and it gets released haphazardly (OOB), you're just fucked. There is no good way to get it on 200 servers and 2000 desktops in under 48 hours without causing major problems.
Nice offhand remark about Google leaking MS zero days. Got anything to back that up?
tl;dr - utter rubbish. Yes, I work in the field too and have done for over 10 years.

Re:Of course Microsoft knew

[Penguinisto]

Lots of answers:

* If you inform Microsoft of a flaw in IE, then Microsoft in turn notifies you of a flaw in Chrome.
* Chrome's Windows version actually uses a lot of IE components (ICS stands out, if I remember right), so a flaw in IE could potentially affect Chrome, depending on what the flaw is (e.g. an IE flaw that sets a stealth/fake proxy in IE ICS, which in turn affects Chrome...)
* Just because you want your competitors to die or be diminished, doesn't mean you have to be a dick about it. ;)

Re:Of course Microsoft knew

[icebike]

I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way. .

The summary makes it seem like Microsoft did something underhanded by attributing the bug report to a source that pre-dates the publishing by Eric Romang.
All this says is TippingPoint Zero Day Initiative acted responsibly, and Romang didn't.

As for how long it took, one can't make any judgement with no idea of the scope of the problem, or the testing they had to do in order to make sure the fix was proper, and didn't hurt anything else, and worked on every variety of their platform, the number of parts of the system needing the patch, etc.

Nor can we be positive that temporary measures may have been put in place until a formal patch was found, (such as a signature added to Security Essentials and shared with other security companies).

The last thing you want to do is announce you have a patch coming before you really have a patch in hand.

Rush to market.

[jellomizer]

How many times have you made a quick demo/proof of concept code, only to be rushed to market besides you express statement that it isn't complete yet. Because your boss doesn't understand what it takes harden your code, or pressures you to just fix the UI to prevent the bad stuff from happening.

For example if you see a website that had javascript that clears out Single Quotes before sending the data over, it may mean that it is ripe for a SQL injection attack.