Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Clues, experts say Microsoft knew of IE zero-day for weeks before patching

Gregg Keizer | Sept. 24, 2012
Microsoft may have known about last week's Internet Explorer zero-day bug for some time, according to its own security advisory.

Another clue to an early warning of the IE vulnerability comes from IE10, the version bundled with Windows 8, the OS upgrade already deployed by some users but set to reach retail Oct. 26.

Last week, Microsoft repeatedly said that IE10 was not vulnerable, with Elia Florio of the MSRC engineering group asserting on Thursday that, "Internet Explorer 10 is not affected."

Microsoft finalized IE10 at some point before Aug. 1, when it announced Windows 8 was ready for distribution to customers and computer makers.

It's possible, said Andrew Storms, director of security operations at nCircle Security, that Microsoft patched IE10 with information from ZDI, but was still in the testing stage for other versions of the browser. Another alternative is that Microsoft inadvertently fixed the flaw by changing IE10's code for other purposes.

Storms gave each a 50-50 chance of explaining IE10's invulnerability to the zero-day bug.

But there's another plausible reason: One of IE10's new security features blocked exploits, even though the browser remained unpatched.

Florio's vague wording -- that IE10 "is not affected" -- does not explicitly state that the browser has been patched, leaving the third option on the table.

Security experts brought up other concerns, too, namely that hackers may be "reverse engineering" HP's Digital Vaccine IPS signatures to find flaws in Microsoft's code, information that they then use to craft their zero-day exploits.

Robert Graham of Errata Security theorized that that could explain the connection between ZDI's report and the use of the CVE-2012-4969 vulnerability by hackers before it was patched.

"Many IPS vendors include [zero]-day protection, 'virtually patching' vulnerabilities in the IPS before the real patch is announced," said Graham in a Friday blog post. "That means hackers can simply reverse-engineer an IPS in order to get a constant feed of [zero-]days from the signature updates."

Romang, however, went further. Like Graham, he said reverse-engineering may explain the link between ZDI and the zero-day. But he also wondered if ZDI had leaked, whether purposefully or accidentally, the technical details of the CVE-2102-4969 bug.

Last month, a Java zero-day vulnerability was exploited by the gang that controlled the server Romang had uncovered Sept. 15. Like the IE bug, the Java flaw was a zero-day -- there was no immediate patch. And like the IE vulnerability, the one in Java had been reported by ZDI.

Oracle shipped a very rare out-of-band update for Java at the end of August to stymie attacks, which were quickly gaining momentum.

HP TippingPoint did not reply to a Saturday request for comments about Romang's leak speculation.

Windows users can obtain MS12-063 via the Microsoft Update and Windows Update services, as well as through the enterprise-grade WSUS (Windows Server Update Services).



Previous Page  1  2 

Sign up for CIO Asia eNewsletters.