Did Microsoft Know About the IE Zero-Day Flaw In Advance? 123
judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."
People (Score:4, Interesting)
Sometimes is good to remember that are involved people instead of big companies. Did the "company" knew about it or the people that received initially the report didn't escalated it? Who knows how much vulnerability reports they get every day, and how much of them are taken as dupes, already known, or plain sold to the biggest bidder, without the upper layers knowing about them.
Anyway, they are playing their role. It's supposed to be security by obscurity, so let put a shadow on all hints of insecurity. With a bit of luck the only aware of it will be the researcher that sent the report instead of the bad guys, so will be plenty of time to fix and schedule a deploy without anyone else knowing that it happened.
New kind of ethics in town (Score:5, Interesting)
and that is called, 'returning shareholder value'
Car manufacturers have always allowed defective products into the field, as long as the costs (lawsuits, bad press) do not outweigh the benefits (PROFIT!)
Of course, they already have lawyers on retainer, and 'good relationships' with the media outlets, so that can cover most complaints by simply quashing them with legal briefs and keeping the complainants from ever getting media coverage
There was a long period of time when MS seemed to follow that model, but they seemed to have gotten on their game in the past few years, hopefully this is not a sign that they are falling back to the lowest level of service that they can give to security issues without getting sued
Re:New kind of ethics in town (Score:5, Interesting)
Oh, the difference here is that exploits once discovered work almost 100% of the time on a board variety of systems. And because the pc market is mostly a monoculture, these exploits effect every system in the block!. In fact this has been observed a number of timer: Or who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame, ... All these had some major impact on the computing community, so you can't compare that with the odd broken axel or loose bolts.
Actually, they don't work 100% of the time.
Its a browser bug.
It only affects IE 6-9. Not Safari, Chrome, or Firefox.
It only appears on a few dodgy websites.
The fact that this is unheard of pretty much means its not close to affecting 100%.
But hey, thanks for reminding me about all those other exploits,
who can forget CodeRed, iloveyou, blaster; conficker/downup, stuxnet, duqu, flame,
I had indeed forgotten about these.
Probably because they never affected me.
Or anyone that I knew.
Because they got blocked by Anti Virus software on windows well before they became epidemic in scope.
And of course none of them bothered linux.