24 Sep 2012

Microsoft Familiar with Internet Explorer Bug for Months


Microsoft was familiar with the Internet Explorer zero-day flaw months before releasing the security patch, according to Computer World. Proof that the Redmond-based company knew about the bug is that it credited Hewlett-Packard TippingPoint for reporting the vulnerability. The program allegedly reported the browser vulnerability in July, seven weeks before researcher Eric Romang announced he found the bug on a hacking server.

“Microsoft thanks the following for working with us to help protect customers: An anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969),” the bulletin reads.

The message also made Eric Romang wonder about when the company first discovered the bug. “So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft,” Romang wrote on his blog. “If CVE-2012-4969 was reported to ZDI, by an anonymous researcher, the vulnerability was known by Microsoft since minimum 1 month, a maximum of 462 days, an average time of 168,4 days…”

The MS12-063 security bulletin was released last Friday to solve “one publicly disclosed and four privately reported vulnerabilities in Internet Explorer.” Rated critical, the security update addressed the flaws by changing the way the browser handled objects in memory.

The most dangerous vulnerabilities allowed remote code execution when users viewed a specially crafted webpage in the Microsoft browser. In this way, hackers could gain full administrative rights on users’ computers.

Neither Microsoft nor HP TippingPoint addressed the time when the bug was first reported, according to Computer World.