Slashdot Mirror

← Back to Stories (view on slashdot.org)

Did Microsoft Know About the IE Zero-Day Flaw In Advance?

Posted by samzenpus on from the is-this-a-feature? dept.

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

4 of 123 comments (clear)

  1. Re:Of course Microsoft knew by CTachyon · · Score: 5, Insightful

    And why is that? Google would love to see Microsoft die.

    You don't bring nukes to a knife fight. Sure, you win the knife fight, but now everyone else knows to nuke you first and ask questions later.

    --
    Range Voting: preference intensity matters
  2. Re:Of course Microsoft knew by Anonymous Coward · · Score: 4, Insightful

    Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit

    If you have knowledge of a critical exploit, and you can't fix it in months, then your software is not suitable for use in a production environment.

    It is crucial to let system admins know as soon as you find an exploit, so they can defend themselves. You can't assume that blackhats will not find out, because they will, and you are putting your users at risk with such negligent behavior.

    Your post mainly shows that you don't know what you're talking about.

  3. Re:Of course Microsoft knew by buglista · · Score: 5, Insightful

    This is utter bollocks. I used to run a large network and if you know there is a critical patch coming, you can plan for it. If you don't, and it gets released haphazardly (OOB), you're just fucked. There is no good way to get it on 200 servers and 2000 desktops in under 48 hours without causing major problems.
    Nice offhand remark about Google leaking MS zero days. Got anything to back that up?
    tl;dr - utter rubbish. Yes, I work in the field too and have done for over 10 years.

  4. Re:Of course Microsoft knew by Penguinisto · · Score: 4, Insightful

    Lots of answers:

    * If you inform Microsoft of a flaw in IE, then Microsoft in turn notifies you of a flaw in Chrome.
    * Chrome's Windows version actually uses a lot of IE components (ICS stands out, if I remember right), so a flaw in IE could potentially affect Chrome, depending on what the flaw is (e.g. an IE flaw that sets a stealth/fake proxy in IE ICS, which in turn affects Chrome...)
    * Just because you want your competitors to die or be diminished, doesn't mean you have to be a dick about it. ;)

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?