Microsoft knew of IE zero-day flaw since last September
Summary: Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.
Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.
The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.
The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.
The patches are included in the critical MS10-002 bulletin.
[ SEE: Adobe confirms 'sophisticated, coordinated' breach ]
The vulnerability used in the attacks (CVE-2010-0249) was private reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.
The vulnerability is described as a remote code execution issue in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.
An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
[ SEE: MS confirms 17-year-old Windows vulnerability ]
Even if you don't user Internet Explorer for regular Web browser, it's important for Windows users to apply this update immediately. That's because the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file.
"Customers would have to open a malicious file to be at risk of exploitation," Microsoft's Bryant said, urging users to disable ActiveX controls in Microsoft Office.
ALSO READ:
- Microsoft says Google was hacked with IE zero-day
- Microsoft readies emergency IE patch to counter public exploits
- Following the Google attack malware trail
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
people should ask for triple damages
Time for more lawsuits
They'll never get any damages
$<R3\/\/3D is what we are!
show me a software license
Same thing applies to hardware.
Software license terms may be overturned by a Court
To illustrate the point, albeit in an extreme manner: What if an MS software license said that if you break the terms of the EULA, then you would have to report to Microsoft HQ to have your hands cut off at the wrist? No court, not even an American one, would uphold that as being fair or reasonable. lol
In the same way if you enter a building that bears a sign saying "[i]enter at your own risk[/i]" and shortly afterwards the building owner drops a brick on your head. Whatever the sign says, the owner is still liable.
Sadly we can't do class actions here in England. And I haven't personally touched a Microsoft product since 2007. But hopefully you folks Stateside will take up the challenge.
Meantime if you want to take action right now that will "[i]hit them where it hurts[/i]", yet won't cost you a dime, then the answer is simple:-
[b]Don't buy any more Microsoft products![/b]
Ouch!! This will lead to an all time low in Microsoft's credibility on
sat on it like fools, waiting for it to bite them
in the arse.
If there's anyone who know about low credibility
Funny....
Yours isn't ranking too high, either
There's a plus for you too..
Testing/Compatability (NT)
Yes, they should have done testing and compatibility checks a long freaking
I don't think you understand security at all
Patches just cannot be developed overnight, it is embarrassing to see your product use in such malicious ways, BUT, it is even more embarrassing to see a patched designed to help plug a hole, break a lot of other things in the process. There are a lot of things that go on when patching up a hole. A lot of things you have to take into consideration and take into account.
You are very quick to flame everyone for sticking up for software vendors, yet, I'm pretty sure once you had a clue what it is like to be one, you'd have a better picture about what goes on.
I dare you to take that challenge.
Not all of them sit for hours in their basement going through lines of code looking to see what can do what. This isn't Linux.
Honestly, Microsoft's team deserves credit for bringing this patch out so soon.
Wow, excuses, excuses. If this were the Linux kernel, they would have had a
priority.
assuming they found the bug in the first place (nt)
Microsoft knew of the bug since September last year. When the Linux kernel
Like I said
This isn't Linux. Proprietary companies don't have socially inept, obese users sitting away in the basement living off of chips and energy drinks, that can make up half assed patches for half assed "Me too" OSS software.
They have to take the time to understand what the vulnerability is, what needs to be done to fix it, and take the time to make sure it works, and it won't break anything else. Also considering the end of the year id full of holidays and other leaves of absence... There you have your 5 months.
Nice combo attack of wanton hypocrisy with a false dichotomy thrown in.
fixes a known vulnerability in under 5 months are
"obese users sitting away in the basement living
off of chips and energy drinks, that can make up
half assed patches for half assed "Me too" OSS
software.". I love it. If Loverock saw your post
he'd be insanely jealous. 10/10!
Some situations call for overtime.
@Lester
However, It might also explain why they had the patch out so early... they already knew and were working on it.