Did Microsoft Know About the IE Zero-Day Flaw In Advance?

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

Of course Microsoft knew

[s0446]

I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way.

And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

Re:Of course Microsoft knew

Security by obscurity is considered bad practice. You know, what would you think if AIRCRAFT/CAR/SHIPMANUFACTURER would wait 2 months before recalling defective parts (especially dicy stuff like brakes or stuff that's critical to the structure of the thing)... I don't think you would be pleased to know that you were riding around in a death trap.

Re:Of course Microsoft knew

[Antony+T+Curtis]

And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

I'm pretty sure that Google discretely notifies Microsoft of flaws that it is aware of.

Re:Of course Microsoft knew

[CTachyon]

And why is that? Google would love to see Microsoft die.

You don't bring nukes to a knife fight. Sure, you win the knife fight, but now everyone else knows to nuke you first and ask questions later.

Re:Of course Microsoft knew

Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit

If you have knowledge of a critical exploit, and you can't fix it in months, then your software is not suitable for use in a production environment.

It is crucial to let system admins know as soon as you find an exploit, so they can defend themselves. You can't assume that blackhats will not find out, because they will, and you are putting your users at risk with such negligent behavior.

Your post mainly shows that you don't know what you're talking about.

Re:Of course Microsoft knew

[buglista]

This is utter bollocks. I used to run a large network and if you know there is a critical patch coming, you can plan for it. If you don't, and it gets released haphazardly (OOB), you're just fucked. There is no good way to get it on 200 servers and 2000 desktops in under 48 hours without causing major problems.
Nice offhand remark about Google leaking MS zero days. Got anything to back that up?
tl;dr - utter rubbish. Yes, I work in the field too and have done for over 10 years.

Re:Of course Microsoft knew

[Penguinisto]

Lots of answers:

* If you inform Microsoft of a flaw in IE, then Microsoft in turn notifies you of a flaw in Chrome.
* Chrome's Windows version actually uses a lot of IE components (ICS stands out, if I remember right), so a flaw in IE could potentially affect Chrome, depending on what the flaw is (e.g. an IE flaw that sets a stealth/fake proxy in IE ICS, which in turn affects Chrome...)
* Just because you want your competitors to die or be diminished, doesn't mean you have to be a dick about it. ;)

Re:Of course Microsoft knew

[man_of_mr_e]

Everyone embargoes security bug details. Everyone. Mozilla, Red Hat, Canonical, Google... Everyone does it. And many times critical bugs are embargoed for several weeks, sometimes even 6 or more months.

Re:Of course Microsoft knew

[icebike]

I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way. .

The summary makes it seem like Microsoft did something underhanded by attributing the bug report to a source that pre-dates the publishing by Eric Romang.
All this says is TippingPoint Zero Day Initiative acted responsibly, and Romang didn't.

As for how long it took, one can't make any judgement with no idea of the scope of the problem, or the testing they had to do in order to make sure the fix was proper, and didn't hurt anything else, and worked on every variety of their platform, the number of parts of the system needing the patch, etc.

Nor can we be positive that temporary measures may have been put in place until a formal patch was found, (such as a signature added to Security Essentials and shared with other security companies).

The last thing you want to do is announce you have a patch coming before you really have a patch in hand.

Re:Of course Microsoft knew

[man_of_mr_e]

Wrong. Mozilla, Red Hat, Canonical and Google embargo the details, including the existence of, critical security bugs until a patch is available... UNLESS the exploit is publicly known already.

It's very easy to prove. Just find any critical security flaw in the CVE database and look at the date the CVE was created. Then look at the date of the official announcement, it's quite frequently weeks to months in between.

Re:Of course Microsoft knew

[fustakrakich]

Aircraft can go for YEARS still using parts known to be a risk.

Four to be exact. I'm sure a cost/benefit agreement was reached. Brings little comfort to the passengers.

As for the Concorde, about as freaky as accidents get. More than one airliner has been brought down by a popped tire.

Re:Of course Microsoft knew

[man_of_mr_e]

Prove what, specifically? If you're going to be a dick, you should be specific about it. But here's a recent example.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3965

The CVE was created on July 11th, 2012. However, the existence of the flaw were not announced until August 29th, 2012.

There are many many more, and I will leave it as an exercise for anyone that wants more proof. Just look at the date the CVE was created (the assigned date) and look at the date of the announcement.

Re:Of course Microsoft knew

[sjames]

Yes, and that's exactly the problem here./

Re:Of course Microsoft knew

[jmerlin]

This isn't security by obscurity. And to point out, all current security is based on obscurity. The fact that all you need is a key to get access to something is, by definition, securing something by obscurity (the key is obscured). A measure of the quality of a security system is how local the obscurity is, which makes it easier to measure the strength. So if ALL of the obscurity is in the key, and there isn't an attack to weaken the key space, it's pretty easy to determine just how secure something is.

This, on the other hand, is not telling the criminals that the armored truck accidentally broke down on its route. The point of security here isn't "we have flaws but if nobody ever knows about them, we're fine", it's "we have flaws that were reported, we're working to fix them, and we'd rather not publicly announce them until they're fixed." There's a huge difference.

Rush to market.

[jellomizer]

How many times have you made a quick demo/proof of concept code, only to be rushed to market besides you express statement that it isn't complete yet. Because your boss doesn't understand what it takes harden your code, or pressures you to just fix the UI to prevent the bad stuff from happening.

For example if you see a website that had javascript that clears out Single Quotes before sending the data over, it may mean that it is ripe for a SQL injection attack.

Clarification Needed (please)

What's a "Internet Explorer" ?

Re:Clarification Needed (please)

[Alter_3d]

What's a "Internet Explorer" ?

It's the tool used to download Firefox, Chrome or Opera on new Windows PCs.

Of course, if you really hate the thing, you can always use the built in ftp client.

Of course they knew.

[JustAnotherIdiot]

If I've learned anything from my current position it's that if a single person find a problem, they're usually whacked on the head and told to keep their mouths shut.
The person who knew was probably a grunt worker in microsoft who was hushed by his manager.

Knowing

Microsoft has a policy of "responsible disclosure" such that they credit the flaw to the first person who participates in that process. If that person reveals it before Microsoft, then the "responsible disclosure" did not take place and the next person is given credit. It is of no surprise that the one who made it public did not get credit from Microsoft.

People

[gmuslera]

Sometimes is good to remember that are involved people instead of big companies. Did the "company" knew about it or the people that received initially the report didn't escalated it? Who knows how much vulnerability reports they get every day, and how much of them are taken as dupes, already known, or plain sold to the biggest bidder, without the upper layers knowing about them.

Anyway, they are playing their role. It's supposed to be security by obscurity, so let put a shadow on all hints of insecurity. With a bit of luck the only aware of it will be the researcher that sent the report instead of the bad guys, so will be plenty of time to fix and schedule a deploy without anyone else knowing that it happened.

New kind of ethics in town

[garyisabusyguy]

and that is called, 'returning shareholder value'

Car manufacturers have always allowed defective products into the field, as long as the costs (lawsuits, bad press) do not outweigh the benefits (PROFIT!)

Of course, they already have lawyers on retainer, and 'good relationships' with the media outlets, so that can cover most complaints by simply quashing them with legal briefs and keeping the complainants from ever getting media coverage

There was a long period of time when MS seemed to follow that model, but they seemed to have gotten on their game in the past few years, hopefully this is not a sign that they are falling back to the lowest level of service that they can give to security issues without getting sued

Re:New kind of ethics in town

[icebike]

Look, there is no such thing as a defect free product. Does not exist in any realm.

Given that, an instant recall of any product subsequently found to have a defect would shut down commerce totally. It would be completely unworkable in the real world. Its nothing about returning shareholder value. Its about keeping civilization running WHILE you fix infrastructure instead of running screaming back into the cave every time you discover a loose screw on a cabinet door.

Complex systems are complex to fix. But they work. Bugs and all. They hang together.
Loose axle bolts on a pickup truck, or an obscure vulnerability in a browser. 99.9999% of the users will not encounter the problem, and when they do the vast majority of them will not get hurt.
However, everybody gets hurt when idealists rush in, order all IE9 users to cease and desist using it, and all pickup trucks owners to park them until a fix is found. Its ridiculous.

Further, You can't "quash" anything these days. Don't even go there.
Bugs get fixed in order of priority. Triage. Look it up some time.

Re:New kind of ethics in town

[icebike]

Oh, the difference here is that exploits once discovered work almost 100% of the time on a board variety of systems. And because the pc market is mostly a monoculture, these exploits effect every system in the block!. In fact this has been observed a number of timer: Or who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame, ... All these had some major impact on the computing community, so you can't compare that with the odd broken axel or loose bolts.

Actually, they don't work 100% of the time.
Its a browser bug.
It only affects IE 6-9. Not Safari, Chrome, or Firefox.
It only appears on a few dodgy websites.
The fact that this is unheard of pretty much means its not close to affecting 100%.

But hey, thanks for reminding me about all those other exploits,

who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame,

I had indeed forgotten about these.
Probably because they never affected me.
Or anyone that I knew.

Because they got blocked by Anti Virus software on windows well before they became epidemic in scope.
And of course none of them bothered linux.

Ethics in the zero day exploit market?

[rainer_d]

I'm sure it exists, as long as the balance sheet is OK. A "market" (and the ZD exploit market, being largely unregulated, TTBOMK) doesn't have any ethics per-se.

Ethics?

[mseeger]

The possibility raises questions about Microsoft [...] as well as about the ethics of the zero day exploit market.

You're kidding me, right? You expect ethics on a market whose primary customers are spies and criminals? Selling to manufacturer is only the sale of the last resort.....

You meant to say

1.) Guy reports exploit to M$ in February
2.) They do nothing
3.) Guy asks for progress in May
4.) They do nothing
5.) Guy asks for progress in July
6.) They do nothing
7.) Guy asks for progress in October
8.) They do nothing
9.) Guy releases exploit to public
10.) MS bitches loudly about "Google trying to smear us"
11.) MS does nothing for three days
12.) Two low-level guys are told to fix it ASAP on Monday
13.) On Tuesday they are grilled by Sinofski about progress
14.) On Wednesday Ballmer throws a chair at them
15.) On the deathbed (from the Ballmer-inflicted wounds), they fix the issue
16.) On Friday MS releases the patch

No

[fa2k]

If Microsoft knew about it, it wasn't a zero-day vulnerability