Forgot your password?
typodupeerror
Microsoft Security IT

Did Microsoft Know About the IE Zero-Day Flaw In Advance? 123

Posted by samzenpus
from the is-this-a-feature? dept.
judgecorp writes "Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday, but there are hints that the firm may have known about the flaw two months ago. The notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw, instead of Eric Romang, the researcher at Metasploit who made it public. ZDI's listings show its most recent report to Microsoft on 24 July, suggesting Microsoft may have known about this one for some time. The possibility raises questions about Microsoft's openness — as well as about the ethics of the zero day exploit market."
This discussion has been archived. No new comments can be posted.

Did Microsoft Know About the IE Zero-Day Flaw In Advance?

Comments Filter:
  • by s0446 (2737999) on Monday September 24, 2012 @01:21PM (#41439449)
    I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way.

    And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Security by obscurity is considered bad practice. You know, what would you think if AIRCRAFT/CAR/SHIPMANUFACTURER would wait 2 months before recalling defective parts (especially dicy stuff like brakes or stuff that's critical to the structure of the thing)... I don't think you would be pleased to know that you were riding around in a death trap.

      • by garyisabusyguy (732330) on Monday September 24, 2012 @01:42PM (#41439791)

        and that is called, 'returning shareholder value'

        Car manufacturers have always allowed defective products into the field, as long as the costs (lawsuits, bad press) do not outweigh the benefits (PROFIT!)

        Of course, they already have lawyers on retainer, and 'good relationships' with the media outlets, so that can cover most complaints by simply quashing them with legal briefs and keeping the complainants from ever getting media coverage

        There was a long period of time when MS seemed to follow that model, but they seemed to have gotten on their game in the past few years, hopefully this is not a sign that they are falling back to the lowest level of service that they can give to security issues without getting sued

        • by icebike (68054) *

          Look, there is no such thing as a defect free product. Does not exist in any realm.

          Given that, an instant recall of any product subsequently found to have a defect would shut down commerce totally. It would be completely unworkable in the real world. Its nothing about returning shareholder value. Its about keeping civilization running WHILE you fix infrastructure instead of running screaming back into the cave every time you discover a loose screw on a cabinet door.

          Complex systems are complex to fix. Bu

        • It does not surprise me about MS software and IE. But what is weird to me is how people jump on MS and not others. I am sure Firefox has made mistakes... Wes Beckwith
      • by Anonymous Coward

        No, it's only bad if the secret is a vital piece of the security of the system. As Bruce Schneier said [schneier.com]:

        Just because security does not require that something be kept secret, it doesn't mean that it is automatically smart to publicize it.

      • by abigsmurf (919188)
        2 months? Aircraft can go for YEARS still using parts known to be a risk. Grounding aircraft is extremely expensive, it only happens in extremely serious cases (usually where an issue has been identified as causing a crash). Otherwise the fixes can wait until the next piece of scheduled maintenance on the aircraft or even it's next major refit. Sometimes they decide not to bother.

        The Concorde crash springs to mind. They'd been warned for a long time that the fuel tanks lacked shielding and were at risk y
        • Aircraft can go for YEARS still using parts known to be a risk.

          Four to be exact [nzherald.co.nz]. I'm sure a cost/benefit agreement was reached. Brings little comfort to the passengers.

          As for the Concorde, about as freaky as accidents get. More than one airliner has been brought down by a popped tire.

      • by jmerlin (1010641)
        This isn't security by obscurity. And to point out, all current security is based on obscurity. The fact that all you need is a key to get access to something is, by definition, securing something by obscurity (the key is obscured). A measure of the quality of a security system is how local the obscurity is, which makes it easier to measure the strength. So if ALL of the obscurity is in the key, and there isn't an attack to weaken the key space, it's pretty easy to determine just how secure something is
    • by Antony T Curtis (89990) on Monday September 24, 2012 @01:34PM (#41439647) Homepage Journal

      And the bad hackers? They submit these to competitors like Google who then "leak" the news about competitors flaw.

      I'm pretty sure that Google discretely notifies Microsoft of flaws that it is aware of.

    • by Anonymous Coward

      I work in the field

      Then you should exploit your expertise. Go back and comment on the gummi-cow-feed item.

      Ba-dump.

    • by Anonymous Coward on Monday September 24, 2012 @02:07PM (#41440129)

      Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit

      If you have knowledge of a critical exploit, and you can't fix it in months, then your software is not suitable for use in a production environment.

      It is crucial to let system admins know as soon as you find an exploit, so they can defend themselves. You can't assume that blackhats will not find out, because they will, and you are putting your users at risk with such negligent behavior.

      Your post mainly shows that you don't know what you're talking about.

      • Everyone embargoes security bug details. Everyone. Mozilla, Red Hat, Canonical, Google... Everyone does it. And many times critical bugs are embargoed for several weeks, sometimes even 6 or more months.

    • by buglista (1967502) on Monday September 24, 2012 @02:22PM (#41440351)
      This is utter bollocks. I used to run a large network and if you know there is a critical patch coming, you can plan for it. If you don't, and it gets released haphazardly (OOB), you're just fucked. There is no good way to get it on 200 servers and 2000 desktops in under 48 hours without causing major problems.
      Nice offhand remark about Google leaking MS zero days. Got anything to back that up?
      tl;dr - utter rubbish. Yes, I work in the field too and have done for over 10 years.
      • by DarkOx (621550)

        I used to run a large network

        Things have changed and are changing rapidly. Dev opps means that on a well run large network (at least one under central control, like a corporate one) it should be possible to put a patch on 200 servers, and probably 80%+ of those desktops in as much time. Actually you should be do the deployment work in about the 4-6 hours it takes to test patch, and patch process on the representative test machines, the rest of the 48 hours should be waiting for clients to check in and servers to hit reboot schedules

        • by buglista (1967502)
          Yes, this was a university, not a standard corporate. If you do have a single build for servers and a single build for workstations everything does get so much easier - this just doesn't fit a Uni model, because of a) necessity of people doing weird stuff and b) internal politics :)
    • by sjames (1099)

      They could have slipped the patch in on any patch Tuesday without tipping their hand (it wouldn't be the first time a security fix was slipped in).

      • by icebike (68054) *

        And they may have done just that, by slipping in a signature into the millions of machines running Microsoft Security Essentials, looking for the droppings of the exploit even when they haven't found the actual hole.

        They may have known it wasn't being widely exploited (Eric Romang didn't discover it till Sept 17), just because they were not getting hits in MSE, and had time to seek a complete patch.

        • by sjames (1099)

          Checking for the signature of an actual attack is not at all the same as shipping a patch to PREVENT that attack from succeeding AT ALL.

          • by icebike (68054) *

            Checking for the signature of an actual attack is not at all the same as shipping a patch to PREVENT that attack from succeeding AT ALL.

            Exactly. But it does provide a measurement of how fast (it at all) the exploit is spreading, and prevents the currently known payloads from being installed while a solution is found that would allow the vulnerability to be permanently closed.

            It allows you to triage the various exploits that need the most immediate attention.

            • by sjames (1099)

              It prevented nothing. If they had the patch, they should have shipped it. If they didn't (they do take time to develop and test) they should be honest about that.

              • by icebike (68054) *

                Being honest about it does not include advertising a vulnerability you have no solution for.
                How would that possibly make the problem better?

                Its like hanging a big sign on your front door that says your lock is broken.

                • by sjames (1099)

                  They have a patch now don't they?

                  • by icebike (68054) *

                    Probably you do as well, if you have auto-updates applied.

                    Quote first sentence of Summary:

                    Microsoft issued an emergency patch for a flaw in the Internet Explorer browser on Friday,... the notes to Microsoft's patch credit the TippingPoint Zero Day Initiative for finding the flaw,

                    So problem solved.

    • by X0563511 (793323)

      There's no need for the CVE or whatever to be so explicit as to say "HACKERS GO HERE."

      Hell most of the MS security patches say something entirely useless like "a security flaw has been identified in Windows that may...."

    • by icebike (68054) * on Monday September 24, 2012 @04:38PM (#41442383)

      I work in the field and can say there's tons of researchers who submit these flaws. Not all of them can be fixed instantly, and in some instances (like this) fixing them could actually create hints for hackers to use and exploit. That's why it's often better to be silent about them and make a fix ready in case they are publicly exploited. One of the worst case scenarios is if you patch something with huge notes about it and the hackers find out about the flaw that way. .

      The summary makes it seem like Microsoft did something underhanded by attributing the bug report to a source that pre-dates the publishing by Eric Romang.
      All this says is TippingPoint Zero Day Initiative acted responsibly, and Romang didn't.

      As for how long it took, one can't make any judgement with no idea of the scope of the problem, or the testing they had to do in order to make sure the fix was proper, and didn't hurt anything else, and worked on every variety of their platform, the number of parts of the system needing the patch, etc.

      Nor can we be positive that temporary measures may have been put in place until a formal patch was found, (such as a signature added to Security Essentials and shared with other security companies).

      The last thing you want to do is announce you have a patch coming before you really have a patch in hand.

    • by Bremic (2703997)

      It's very simple. If you find a defect that could lead to a comprehensive security breach, and you can't fix it within a reasonable period of time (say 4-6 weeks) then you notify people of the fact that your software is defective and should not be used - no details, just simply "stop using it until we have a fix".

      If your software is web enabled, and reports back to base (like IE does), issue an "update" that stops it working.

      If an airline found out that their planes were vulnerable to sudden engine failure,

  • Rush to market. (Score:4, Insightful)

    by jellomizer (103300) on Monday September 24, 2012 @01:27PM (#41439547)

    How many times have you made a quick demo/proof of concept code, only to be rushed to market besides you express statement that it isn't complete yet. Because your boss doesn't understand what it takes harden your code, or pressures you to just fix the UI to prevent the bad stuff from happening.

    For example if you see a website that had javascript that clears out Single Quotes before sending the data over, it may mean that it is ripe for a SQL injection attack.

    • by Anonymous Coward

      Geez, are we still talking about the iOS 6 maps?

  • by Anonymous Coward on Monday September 24, 2012 @01:33PM (#41439645)

    What's a "Internet Explorer" ?

    • by Anonymous Coward

      What's a "Internet Explorer" ?

      A liability.

      Next question.

    • by Alter_3d (948458) on Monday September 24, 2012 @02:15PM (#41440227)

      What's a "Internet Explorer" ?

      It's the tool used to download Firefox, Chrome or Opera on new Windows PCs.

      Of course, if you really hate the thing, you can always use the built in ftp client.

      • I used to do just that during my IE hate phase as I did not want to taint the poor CPU with those evil instructions into a tool of satan! I would cmd up ftp to getfirefox and even went as far as replace the blue E off every family computer and putting the firefox icon with it instead.

        Maybe I am just OC?

    • by geekmux (1040042)

      What's a "Internet Explorer" ?

      A small bug. It is technically part worm, part parasite, but fortunately has shrunk considerably in size from its formidable infectious years, and is easily killed and eaten these days by the Firefox...

    • by Anonymous Coward

      Tool like any other explorers. It is meant to explore the internets. So if you dont know where your internet is hidding, you explore it every day again and again. Till you find yourself in a madhouse. simple as that. Hope it helps Everyone in their exploration and research.

    • Permuted: Net Pixel Net Error
    • by antdude (79039)

      You forgot a "n" before "Internet Explorer" since I is a vowel. :P

    • by Pyrus.mg (1152215)

      Anyone who types three random words into Google and clicks the I'm Feeling Lucky button earns an Internet Explorer badge. (please contact Microsoft if your badge doesn't arrive by overnight courier)

  • by JustAnotherIdiot (1980292) on Monday September 24, 2012 @01:36PM (#41439693)
    If I've learned anything from my current position it's that if a single person find a problem, they're usually whacked on the head and told to keep their mouths shut.
    The person who knew was probably a grunt worker in microsoft who was hushed by his manager.
    • Depends - give MSFT's stack-ranking system, I suspect it goes like this:

      If it's a coworker's flaw? You broadcast it to raise your own rankings and screw the other guy over.
      If it's your flaw and you discover it way too late in the process to fix w/o raising eyebrows? You shut up and pray like hell no one finds it.

  • Knowing (Score:5, Informative)

    by Anonymous Coward on Monday September 24, 2012 @01:40PM (#41439765)

    Microsoft has a policy of "responsible disclosure" such that they credit the flaw to the first person who participates in that process. If that person reveals it before Microsoft, then the "responsible disclosure" did not take place and the next person is given credit. It is of no surprise that the one who made it public did not get credit from Microsoft.

    • by Anonymous Coward

      1.) Guy reports exploit to M$ in February
      2.) They do nothing
      3.) Guy asks for progress in May
      4.) They do nothing
      5.) Guy asks for progress in July
      6.) They do nothing
      7.) Guy asks for progress in October
      8.) They do nothing
      9.) Guy releases exploit to public
      10.) MS bitches loudly about "Google trying to smear us"
      11.) MS does nothing for three days
      12.) Two low-level guys are told to fix it ASAP on Monday
      13.) On Tuesday they are grilled by Sinofski about progress
      14.) On Wednesday Ballmer throws a chair at them
      15.)

      • by Minwee (522556)
        Well, it got a response. Isn't that what "response-able disclosure" is all about?
    • by jd (1658)

      I thought that was called "profitable disclosure".

  • People (Score:4, Interesting)

    by gmuslera (3436) on Monday September 24, 2012 @01:42PM (#41439789) Homepage Journal

    Sometimes is good to remember that are involved people instead of big companies. Did the "company" knew about it or the people that received initially the report didn't escalated it? Who knows how much vulnerability reports they get every day, and how much of them are taken as dupes, already known, or plain sold to the biggest bidder, without the upper layers knowing about them.

    Anyway, they are playing their role. It's supposed to be security by obscurity, so let put a shadow on all hints of insecurity. With a bit of luck the only aware of it will be the researcher that sent the report instead of the bad guys, so will be plenty of time to fix and schedule a deploy without anyone else knowing that it happened.

  • Microsoft released this flaw on themselves so they'd have an excuse to invade multiple innocent computers with security essentials. You're living in a policed antivirus society. Wake up! There was actually a third exploit that you can see being silently removed by Norton before anything hit. You think this is a coincidence?

    • What is their goal in this? What to they gain from having MSE installed on systems?

    • by nzac (1822298)

      No if it's an inside job, it will be so they can claim that: the new win8/IE10 security methods work and this time they have solved IE's security problems.

  • by Anonymous Coward

    Most companies know of flaws before they are made public.

    • by Anonymous Coward

      MS has stated many times that they DO this.

      They are fuzzing/QA'ng their own code all the time and finding things. People are submitting things. They are very clear on how they test, patch things, and credit.

      This sort of attitude of 'i found a bug you must fix it *right* now' is rather silly. MS has pushed patches before they were ready and many businesses have suffered because of it. I know I have over the years had to change working code because of badly tested patches (patch 2 months later and it work

  • by rainer_d (115765) on Monday September 24, 2012 @02:24PM (#41440373) Homepage
    I'm sure it exists, as long as the balance sheet is OK. A "market" (and the ZD exploit market, being largely unregulated, TTBOMK) doesn't have any ethics per-se.
  • by mseeger (40923) on Monday September 24, 2012 @02:27PM (#41440433)

    The possibility raises questions about Microsoft [...] as well as about the ethics of the zero day exploit market.

    You're kidding me, right? You expect ethics on a market whose primary customers are spies and criminals? Selling to manufacturer is only the sale of the last resort.....

  • by fa2k (881632)

    If Microsoft knew about it, it wasn't a zero-day vulnerability

    • Um, how do you figure? A vulnerability that hasn't been fixed when a product is released is still a vulnerability, and it still occurs pre-release, so that satisfies both criteria for being a zero day vulnerability.

  • So if they knew in advance it would not be a "zero-day" right? I dunno, maybe I am missing something here, carry on.
  • MS knew about an exploit and tried keeping it under wraps until it was patched. It just so happens that the exploit became widely known before they could release it with their normal update cycle so they pushed out an early update. I'm glad they don't post all the potential new exploits they become aware of until they are able to address the problems. If they were relying on outside help to maintain their security then I could see the need to make exploits known right away but as this is not the case,
    • by funnyguy (28876)

      This is typical 0-day process. I'm not sure why there is now a problem with the 0-day ethics. But companies that sell their 0-day protection have always paid for and then given to M$ and 0racle (0-details), etc while leaving their customers protected. This is part of the "No more free bugs" approach, it provides a legitimate way to sell your discovery which someone worked towards, while knowing it is going to be responsibly disclosed and tracked and even that some people will be nearly immediately protec

  • This process was developed/implemented by HexView [hexview.com] a few years ago (I worked for them at that time): Whoever finds the vulnerability likely has enough knowledge to roughly estimate what it takes to fix it and test the fix. He/she supplies all details to the vendor and gives them a hard time frame, e.g.: "I will release this data to the public 30 days from now". At the same time, vulnerability alert without details to prevent/delay re-discovery may be released to the public. If the vendor fails to resolve t

A CONS is an object which cares. -- Bernie Greenberg.

Working...