Microsoft knew of IE zero-day flaw since last September

Microsoft knew of IE zero-day flaw since last September

Summary: Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.


Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

The patches are included in the critical MS10-002 bulletin.

[ SEE: Adobe confirms 'sophisticated, coordinated' breach ]

The vulnerability used in the attacks (CVE-2010-0249) was private reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

The vulnerability is described as a remote code execution issue in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

[ SEE: MS confirms 17-year-old Windows vulnerability ]

Even if you don't user Internet Explorer for regular Web browser, it's important for Windows users to apply this update immediately.  That's because the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file.

"Customers would have to open a malicious file to be at risk of exploitation," Microsoft's Bryant said, urging users to disable ActiveX controls in Microsoft Office.


Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • people should ask for triple damages

    for willful negligence on part of M$.
    Linux Geek
    • Time for more lawsuits

      Bring 'em on!
      Wintel BSOD
    • They'll never get any damages

      Look at the Mickeysoft License agreement. It states that they are not libel for any damages caused by their software.

      $<R3\/\/3D is what we are!
      Roc Riz
      • show me a software license

        where they don't state they are not liable for any damages and I'll show you a company that is out of business after a series of frivolous lawsuits.

        Same thing applies to hardware.
        • Software license terms may be overturned by a Court

          A software license agreement is not actually the Law and the terms of a license may be overturned by a Court if they are deemed to be unfair or unreasonable.

          To illustrate the point, albeit in an extreme manner: What if an MS software license said that if you break the terms of the EULA, then you would have to report to Microsoft HQ to have your hands cut off at the wrist? No court, not even an American one, would uphold that as being fair or reasonable. lol

          In the same way if you enter a building that bears a sign saying "[i]enter at your own risk[/i]" and shortly afterwards the building owner drops a brick on your head. Whatever the sign says, the owner is still liable.

          Sadly we can't do class actions here in England. And I haven't personally touched a Microsoft product since 2007. But hopefully you folks Stateside will take up the challenge.

          Meantime if you want to take action right now that will "[i]hit them where it hurts[/i]", yet won't cost you a dime, then the answer is simple:-

          [b]Don't buy any more Microsoft products![/b]
  • Ouch!! This will lead to an all time low in Microsoft's credibility on

    security. They knew about it THAT long, and just
    sat on it like fools, waiting for it to bite them
    in the arse.
    • If there's anyone who know about low credibility

      It would be you. :)
      John Zern
      • Funny....

        I thought that same thing about you! :)
        linux for me
        • Yours isn't ranking too high, either

          but then I'll give you credit, you're not quite as bad as DB, so that's a plus for you :)
          John Zern
          • There's a plus for you too..

  're not always as bad as lovey dovey.
  • Testing/Compatability (NT)

    The one and only, Cylon Centurion
    • Yes, they should have done testing and compatibility checks a long freaking

      time ago.
      • I don't think you understand security at all

        All software has holes. It is nearly impossible to find them all before a product is released.

        Patches just cannot be developed overnight, it is embarrassing to see your product use in such malicious ways, BUT, it is even more embarrassing to see a patched designed to help plug a hole, break a lot of other things in the process. There are a lot of things that go on when patching up a hole. A lot of things you have to take into consideration and take into account.

        You are very quick to flame everyone for sticking up for software vendors, yet, I'm pretty sure once you had a clue what it is like to be one, you'd have a better picture about what goes on.

        I dare you to take that challenge.

        Not all of them sit for hours in their basement going through lines of code looking to see what can do what. This isn't Linux.

        Honestly, Microsoft's team deserves credit for bringing this patch out so soon.
        The one and only, Cylon Centurion
        • Wow, excuses, excuses. If this were the Linux kernel, they would have had a

          patch in a week. They would have made security a
          • assuming they found the bug in the first place (nt)

          • Microsoft knew of the bug since September last year. When the Linux kernel

            group knows of a bug, they fix it RIGHT away.
          • Like I said

            You are quick to flame, yet don't take the time to read.

            This isn't Linux. Proprietary companies don't have socially inept, obese users sitting away in the basement living off of chips and energy drinks, that can make up half assed patches for half assed "Me too" OSS software.
            They have to take the time to understand what the vulnerability is, what needs to be done to fix it, and take the time to make sure it works, and it won't break anything else. Also considering the end of the year id full of holidays and other leaves of absence... There you have your 5 months.
            The one and only, Cylon Centurion
          • Nice combo attack of wanton hypocrisy with a false dichotomy thrown in.

            You call other posts flaming, yet claim anyone who
            fixes a known vulnerability in under 5 months are
            "obese users sitting away in the basement living
            off of chips and energy drinks, that can make up
            half assed patches for half assed "Me too" OSS
            software.". I love it. If Loverock saw your post
            he'd be insanely jealous. 10/10!
          • Some situations call for overtime.

            Seems a critical vulnerability would be one of them.
            Lester Young
          • @Lester

            That is true, which is why I'm curious what else Microsoft had going on at the time.

            However, It might also explain why they had the patch out so early... they already knew and were working on it.
            The one and only, Cylon Centurion