Slashdot Mirror

← Back to Stories (view on slashdot.org)

Did Microsoft Know About the IE Zero-Day Flaw In Advance?

Posted by samzenpus on from the is-this-a-feature? dept.

judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."

5 of 123 comments (clear)

  1. Clarification Needed (please) by Anonymous Coward · · Score: 5, Funny

    What's a "Internet Explorer" ?

    1. Re:Clarification Needed (please) by Alter_3d · · Score: 5, Funny

      What's a "Internet Explorer" ?

      It's the tool used to download Firefox, Chrome or Opera on new Windows PCs.

      Of course, if you really hate the thing, you can always use the built in ftp client.

  2. Knowing by Anonymous Coward · · Score: 5, Informative

    Microsoft has a policy of "responsible disclosure" such that they credit the flaw to the first person who participates in that process. If that person reveals it before Microsoft, then the "responsible disclosure" did not take place and the next person is given credit. It is of no surprise that the one who made it public did not get credit from Microsoft.

  3. Re:Of course Microsoft knew by CTachyon · · Score: 5, Insightful

    And why is that? Google would love to see Microsoft die.

    You don't bring nukes to a knife fight. Sure, you win the knife fight, but now everyone else knows to nuke you first and ask questions later.

    --
    Range Voting: preference intensity matters
  4. Re:Of course Microsoft knew by buglista · · Score: 5, Insightful

    This is utter bollocks. I used to run a large network and if you know there is a critical patch coming, you can plan for it. If you don't, and it gets released haphazardly (OOB), you're just fucked. There is no good way to get it on 200 servers and 2000 desktops in under 48 hours without causing major problems.
    Nice offhand remark about Google leaking MS zero days. Got anything to back that up?
    tl;dr - utter rubbish. Yes, I work in the field too and have done for over 10 years.