Slashdot Mirror

← Back to Stories (view on slashdot.org)

Did Microsoft Know About the IE Zero-Day Flaw In Advance?

Posted by samzenpus on from the is-this-a-feature? dept.

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

2 of 123 comments (clear)

  1. New kind of ethics in town by garyisabusyguy · · Score: 4, Interesting

    and that is called, 'returning shareholder value'

    Car manufacturers have always allowed defective products into the field, as long as the costs (lawsuits, bad press) do not outweigh the benefits (PROFIT!)

    Of course, they already have lawyers on retainer, and 'good relationships' with the media outlets, so that can cover most complaints by simply quashing them with legal briefs and keeping the complainants from ever getting media coverage

    There was a long period of time when MS seemed to follow that model, but they seemed to have gotten on their game in the past few years, hopefully this is not a sign that they are falling back to the lowest level of service that they can give to security issues without getting sued

    --
    Wherever You Go, There You Are
    1. Re:New kind of ethics in town by icebike · · Score: 4, Interesting

      Oh, the difference here is that exploits once discovered work almost 100% of the time on a board variety of systems. And because the pc market is mostly a monoculture, these exploits effect every system in the block!. In fact this has been observed a number of timer: Or who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame, ... All these had some major impact on the computing community, so you can't compare that with the odd broken axel or loose bolts.

      Actually, they don't work 100% of the time.
      Its a browser bug.
      It only affects IE 6-9. Not Safari, Chrome, or Firefox.
      It only appears on a few dodgy websites.
      The fact that this is unheard of pretty much means its not close to affecting 100%.

      But hey, thanks for reminding me about all those other exploits,

      who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame,

      I had indeed forgotten about these.
      Probably because they never affected me.
      Or anyone that I knew.

      Because they got blocked by Anti Virus software on windows well before they became epidemic in scope.
      And of course none of them bothered linux.

      --
      Sig Battery depleted. Reverting to safe mode.