ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Microsoft knew of IE zero-day flaw since last September

By | January 21, 2010, 12:34pm PST

Summary: Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

The patches are included in the critical MS10-002 bulletin.

[ SEE: Adobe confirms 'sophisticated, coordinated' breach ]

The vulnerability used in the attacks (CVE-2010-0249) was private reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

The vulnerability is described as a remote code execution issue in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

[ SEE: MS confirms 17-year-old Windows vulnerability ]

Even if you don’t user Internet Explorer for regular Web browser, it’s important for Windows users to apply this update immediately.  That’s because the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file.

“Customers would have to open a malicious file to be at risk of exploitation,” Microsoft’s Bryant said, urging users to disable ActiveX controls in Microsoft Office.

ALSO READ:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Attacker, Vulnerability, Microsoft Internet Explorer, Microsoft Corp., Zero-day Bug, Web Browsers, Security, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
158
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Microsoft knew of IE zero-day flaw since last September
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat
View in thread
0 Votes
+ -
people should ask for triple damages
Linux Geek 21st Jan 2010
for willful negligence on part of M$.
0 Votes
+ -
Time for more lawsuits
Wintel BSOD 21st Jan 2010
Bring 'em on!
0 Votes
+ -
They'll never get any damages
Roc Riz 22nd Jan 2010
Look at the Mickeysoft License agreement. It states that they are not libel for any damages caused by their software.

$R3\/\/3D is what we are!
0 Votes
+ -
show me a software license
rtk 22nd Jan 2010
where they don't state they are not liable for any damages and I'll show you a company that is out of business after a series of frivolous lawsuits.

Same thing applies to hardware.
  • Flagged
0 Votes
+ -
Software license terms may be overturned by a Court
mrgoose 23rd Jan 2010
A software license agreement is not actually the Law and the terms of a license may be overturned by a Court if they are deemed to be unfair or unreasonable.

To illustrate the point, albeit in an extreme manner: What if an MS software license said that if you break the terms of the EULA, then you would have to report to Microsoft HQ to have your hands cut off at the wrist? No court, not even an American one, would uphold that as being fair or reasonable. lol

In the same way if you enter a building that bears a sign saying "enter at your own risk" and shortly afterwards the building owner drops a brick on your head. Whatever the sign says, the owner is still liable.

Sadly we can't do class actions here in England. And I haven't personally touched a Microsoft product since 2007. But hopefully you folks Stateside will take up the challenge.

Meantime if you want to take action right now that will "hit them where it hurts", yet won't cost you a dime, then the answer is simple:-

Don't buy any more Microsoft products!
0 Votes
+ -
Ouch!! This will lead to an all time low in Microsoft's credibility on
DonnieBoy 21st Jan 2010
security. They knew about it THAT long, and just
sat on it like fools, waiting for it to bite them
in the arse.
0 Votes
+ -
If there's anyone who know about low credibility
John Zern 21st Jan 2010
It would be you. happy
0 Votes
+ -
Funny....
linux for me 21st Jan 2010
I thought that same thing about you! happy
0 Votes
+ -
Yours isn't ranking too high, either
John Zern 21st Jan 2010
but then I'll give you credit, you're not quite as bad as DB, so that's a plus for you happy
0 Votes
+ -
There's a plus for you too..
AzuMao 21st Jan 2010
..you're not always as bad as lovey dovey.
0 Votes
+ -
Microsoft deserves the bashing they're getting.
ye 21st Jan 2010
Why does it take them five months to patch a vulnerability? They need to drop the lackadaisical attitude towards some vulnerabilities and treat them all with the highest importance. There's no excuse for this.
0 Votes
+ -
Testing/Compatability (NT)
Cylon Centurion Updated - 21st Jan 2010
NT
0 Votes
+ -
Yes, they should have done testing and compatibility checks a long freaking
DonnieBoy 21st Jan 2010
time ago.
0 Votes
+ -
I don't think you understand security at all
Cylon Centurion Updated - 21st Jan 2010
All software has holes. It is nearly impossible to find them all before a product is released.

Patches just cannot be developed overnight, it is embarrassing to see your product use in such malicious ways, BUT, it is even more embarrassing to see a patched designed to help plug a hole, break a lot of other things in the process. There are a lot of things that go on when patching up a hole. A lot of things you have to take into consideration and take into account.

You are very quick to flame everyone for sticking up for software vendors, yet, I'm pretty sure once you had a clue what it is like to be one, you'd have a better picture about what goes on.

I dare you to take that challenge.

Not all of them sit for hours in their basement going through lines of code looking to see what can do what. This isn't Linux.

Honestly, Microsoft's team deserves credit for bringing this patch out so soon.
  • Flagged
0 Votes
+ -
Wow, excuses, excuses. If this were the Linux kernel, they would have had a
DonnieBoy 21st Jan 2010
patch in a week. They would have made security a
priority.
0 Votes
+ -
assuming they found the bug in the first place (nt)
SystemVoid 21st Jan 2010
.
0 Votes
+ -
Microsoft knew of the bug since September last year. When the Linux kernel
DonnieBoy 21st Jan 2010
group knows of a bug, they fix it RIGHT away.
0 Votes
+ -
Like I said
Cylon Centurion Updated - 21st Jan 2010
You are quick to flame, yet don't take the time to read.

This isn't Linux. Proprietary companies don't have socially inept, obese users sitting away in the basement living off of chips and energy drinks, that can make up half assed patches for half assed "Me too" OSS software.
They have to take the time to understand what the vulnerability is, what needs to be done to fix it, and take the time to make sure it works, and it won't break anything else. Also considering the end of the year id full of holidays and other leaves of absence... There you have your 5 months.
  • Flagged
0 Votes
+ -
Nice combo attack of wanton hypocrisy with a false dichotomy thrown in.
AzuMao 21st Jan 2010
You call other posts flaming, yet claim anyone who
fixes a known vulnerability in under 5 months are
"obese users sitting away in the basement living
off of chips and energy drinks, that can make up
half assed patches for half assed "Me too" OSS
software.". I love it. If Loverock saw your post
he'd be insanely jealous. 10/10!
0 Votes
+ -
Some situations call for overtime.
Lester Young 21st Jan 2010
Seems a critical vulnerability would be one of them.
0 Votes
+ -
@Lester
Cylon Centurion Updated - 21st Jan 2010
That is true, which is why I'm curious what else Microsoft had going on at the time.

However, It might also explain why they had the patch out so early... they already knew and were working on it.
  • Flagged
0 Votes
+ -
5 months after a remotely exploitable vulnerability becomes known..
AzuMao 21st Jan 2010
..is not early.
0 Votes
+ -
Like I said
Wintel BSOD 21st Jan 2010
This isn't Linux. Proprietary companies don't have socially inept, obese users sitting away in the basement living off of chips and energy drinks, that can make up half assed patches for half assed "Me too" OSS software.

lol... grin

Like I said, I don't think you're a student, soooo....

Quit making excuses for them, mod/shill...
  • Flagged
0 Votes
+ -
Now you are being abusive
zdnet-gregc 22nd Jan 2010
Pot, Kettle, Black, and all that ...

I know plenty of sophisticated Linux hackers (in the good sense) that are nothing like your characterization of them.

You seem to have a good sense of what commercial software development entails. Why don't you stick to that and avoid the ad hominem?
0 Votes
+ -
Is size really important?
mrgoose Updated - 24th Jan 2010
@NStalnecker

I fail to see how the weight, social graces or dietary habits of OSS users have any relevance in the context of this discussion. But since you obviously think they have, then I feel it is my duty to point out that the Microsoft camp also has its fair share of porkers, e.g. Microsoft CEO, Steve "Dance-Monkeyboy" Balmer. He is not exactly famous for his social skills either.

Funny how expressions involving stones and glasshouses, or pots & kettles now leap playfully to one's mind... happy
0 Votes
+ -
But would the patch work without breaking something?
Lester Young 21st Jan 2010
It's quite common in Ubuntu support forums to find instances of patches and kernel updates breaking applications. If that were Microsoft's performance, they would be pilloried.
0 Votes
+ -
When is a week not a week
John Zern 21st Jan 2010
When it's 9 months

http://www.itbusiness.ca/it/client/en/Home/News.asp?id=46011

And this is interesting on a Firefox zero day exploit that "nobody took seriouslly"?

http://www.pctipsbox.com/0-day-exploit-for-critical-firefox-vulnerability/

So I'm guessing they knew about it, but didn't have to do anything untill their feet were held to the fire.

Just another example of Mozilla not caring about their customers.

Right, DB?
0 Votes
+ -
5 months is fast for Microsoft I will say
Randalllind Updated - 21st Jan 2010
ROFL it is a freaking disgrace and proves Microsoft just don't care about users.

It doesn't take 5 months to patch a hole come on they are suppose to have the smartest people working for them.

There is no excuse for this crap time after time. I forget the name of the bug in IE that went un-patched for a year and a half. You think they would have learn.

0 Votes
+ -
So soon?...
Dave32265 21st Jan 2010
MS has been sitting on this for who knows how long before they claim.
0 Votes
+ -
No it doesn't.
AzuMao 21st Jan 2010
And there's a pretty thick line between overnight and over half a year. Almost as thick as your skull.
  • Flagged
0 Votes
+ -
They should have moved resources...
bjbrock 21st Jan 2010
from someplace like 7 development to fix something like this. MS is used to getting away with security issues without being held accountable. It's time they were sued.
0 Votes
+ -
Suing get people no where
Cylon Centurion 21st Jan 2010
If anything, people need to sue less, then they are now. But, leave it to our legal system for people to be ********....

The article stated that they already knew of and were in the process of patching it for next month - A mere 3 weeks away. It's the same as Apple - Security through obscurity. The exploit was unknown until last week.
0 Votes
+ -
Jiggawatts..
AzuMao 21st Jan 2010
..how did you get 1.21 of them?

Or is my calendar just broken and it's actually
September still?
0 Votes
+ -
All programs have bugs
zdnet-gregc 22nd Jan 2010
And some bugs create exploitable security vulnerabilities.

[I'm paraphrasing a seminal mid-nineties internet security book I read a while back here, not making it up]

Obsequious boy or not, he's right about that.

Whether Microsoft should have had a patch out sooner is open to debate. I suspect MSFT took a calculated risk--whether to constantly ship small security patches with all the associated (bad) PR or ship bigger, less frequent updates on the assumption that the vulnerabilities wouldn't be exploited in any big way.

Let's not kid ourselves, all businesses make these sort of trade-offs. Apple has made a similar trade-off and so far they've called it correctly; it appears they'll have ASLR and heap protection in place before the hackers decide that OS X is a target worth training the heavy guns on. How they will deal with ongoing security patches if and when OS X does become a prime target for hackers is anyone's guess.
0 Votes
+ -
And your "years of experience"
John Zern 21st Jan 2010
have taught you had to handle things like this?

Just askin'.
0 Votes
+ -
I understand that.
ye 21st Jan 2010
But five months seems excessive.
0 Votes
+ -
Could be
Cylon Centurion Updated - 21st Jan 2010
Depends on what was going on inside the company. Like I said, there is a lot to take into consideration though...

Although in their defense the next patch tuesday is a mere 3 weeks away... Had Google not been hacked the world would never have known how bad this one hole was.... Or even cared, it would have been another (countless) IE fix sitting in your updates list.
0 Votes
+ -
I agree they have a lot to do.
ye 21st Jan 2010
But we're talking about five months. I can't imagine the location and fix for the bug took more than a month with the remainder being testing. Four months should be plenty of time to test.

Although in their defense the next patch tuesday is a mere 3 weeks away...

Which is why I said five months instead of four. I already factored in the time until the next patch Tuesday.

Had Google not been hacked the world would never have known how bad this one hole was....

Irrelevant. The fact is Google was hacked through this bug. Had Microsoft been more timely with a patch perhaps Google would not have been hacked.

Or even cared, it would have been another (countless) IE fix sitting in your updates list.

IMO this bug is no worse/more severe than any other code execution bug in IE. The only difference is this one was exploited prior to the patch being released.

I also suspect the hacked systems were default configurations of XP which are not very secure. It is my opinion that had even the most basic security measures been used Google would not have been hacked. Yes, this means I'm partially blaming the user.
0 Votes
+ -
Point. I concur
Cylon Centurion 21st Jan 2010
XP's security in today's computing landscape is a joke.
0 Votes
+ -
I have to disagree with you on this.
ye 22nd Jan 2010
XP's security in today's computing landscape is a joke.

XP's default configuration wrt security is a joke. While XP doesn't include ASLR and MIR it is quite safe if the following, basic (and free) security measures are used:

1. Enable the built in firewall (default since SP2).

2. Enable automatic patching (default since SP2).

3. Use a non-administrative account. This is one of the best ways to reduce one's exposure to malware.

4. Enable DEP.

I've used XP with these security measures and not a single infection. The security in XP is better than people give it credit for. It's just not "enabled" (administrator account is the default) by default.
0 Votes
+ -
It's not just a Continuing Engineering issue
zdnet-gregc 22nd Jan 2010
It's also a business/brand management issue. And I can understand how a company such as Microsoft might decide that releasing patches in larger, discrete batches and eating relatively infrequent bad press if a known (to MSFT) vulnerability does get exploited is preferable to lots of small patches arriving constantly.

I'm not saying I agree with that decision, or a corporate culture that spawns it. Personally, I think the folks at Microsoft may be over-thinking this one.
0 Votes
+ -
Completely agreed.
AzuMao 21st Jan 2010
It makes sense for a company with billions of
dollars for their product to take 5 months just to
figure out whether or not the patch that prevents
hackers from remotely taking over their users'
systems might potentially cause more harm than it
solves.

Makes perfect sense.
0 Votes
+ -
Well, after all the money that they spent on Seinfeld, they do not have any
DonnieBoy 21st Jan 2010
left for security. But, they Seinfeld ads were
really funny!!!

Or were they???
0 Votes
+ -
236 Packages were required for this patch..
planruse 21st Jan 2010
according to the IE blog to cover all the different versions of Windows, IE and languages. I agree that 5 months is a little long but it looks like a lot of work was involved with this one.
0 Votes
+ -
Better, a lot of foot dragging involved. They just do not care about YOUR
DonnieBoy 21st Jan 2010
security, they are too preoccupied counting all
the money and working with Seinfeld.
0 Votes
+ -
Maybe like the Google and Mozilla foot dragging?
John Zern 21st Jan 2010
Please let us know exactly how you know it's just MS doesn't care about it's customers.

And then let us know how you know there isn't a flaw in Firefox of Chrome right now that Mozilla and Google are aware of, but haven't disclosed because no one out side the company is aware of it, yet.

See, I can take that same stand and say that Mozilla and Google don't care about their customers either because there are flaws in their browsers that they're aware of, but haven't said anything.

See that's the fun part: you don't have to say anything until someone finds out about it.

Like Tiger Woods. He didn't have to say anything until he got caught.
0 Votes
+ -
This is APPLEs fault!
Intellihence Updated - 21st Jan 2010
I guess?

I just had to throw this bone in there.
0 Votes
+ -
Apple's Fault
zdnet-gregc 22nd Jan 2010
Yes, it is, for not having a large enough installed base to draw the hackers away from Windows happy

Seriously, does it occur to anyone that this falls in the category of "a good problem to have" for Microsoft? They should really start to worry when the exploits drop off because the hackers are turning their attention to some other high-value target. Of course it is only a good problem to have as long as Microsoft can manage the brand impact effectively so that the exploits don't contribute to an exodus from MSFT product that helps to create that other high-value target.

Software as a *business* is so hard ... happy
0 Votes
+ -
Partially agree.
Lester Young 21st Jan 2010
But a lackadaisical attitude towards security is also reflected in enterprise keeping XP/IE6 and insecure legacy win32 applications in situations where security is critical. Microsoft's move towards greater security with Vista and more recent versions of IE was not popular. If someone in Google's situation wants to shriek about Microsoft, they need to take a hard look in the mirror first.
0 Votes
+ -
So...
zkiwi 21st Jan 2010
You think businesses should just suck it in and pay for upgrades to new products hoping the problem will be solved and redevelop their software (that works and does what they want) because of screw-ups that are caused by another party (aka Microsoft in this case)?
0 Votes
+ -
RE: Microsoft knew of IE zero-day flaw since last September
efsane Updated - 8th Apr 2011
Well done! Thank you very much for professional templates and community edition
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix