Clues, experts say Microsoft knew of IE zero-day for weeks before patching

Clues, experts say Microsoft knew of IE zero-day for weeks before patching

Bug-bounty program may have reported the browser flaw to Redmond in July

Microsoft may have known about last week's Internet Explorer (IE) zero-day bug for some time, according to its security advisory.

The vulnerability, which was patched Friday in an emergency, or "out-of-band," update, first became public on Sept. 15 when a researcher found an exploit on a known hacker server. The news prompted Microsoft to create a blocking tool within three days, then a fix for the flaw another three days later.

But the Redmond, Wash. company's security team likely knew of the bug long before that.

In the MS12-063 security bulletin, Microsoft credited Hewlett-Packard TippingPoint's bug bounty program, the Zero Day Initiative (ZDI), for reporting the vulnerability.

"Microsoft thanks ... an anonymous researcher, working with TippingPoint's Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability ( CVE-2012-4969)," the bulletin read, referring to the CVE, or Common Vulnerabilities and Exposures identifier for the IE zero-day.

When ZDI provided Microsoft with information about the bug, however, is unknown. Neither Microsoft or HP TippingPoint responded to questions over the weekend about CVE-2012-4969's reporting timeline. Nor has ZDI published any technical information about the vulnerability, something it does eventually after a vendor patches a bug it's reported.

Security experts also picked out the ZDI attribution, and speculated on what that meant.

"[The early warning] helped Microsoft get the patch out so quickly," said Wolfgang Kandek, CTO of Qualys, in an instant message conversation Friday. Researchers had praised Microsoft for turning out a patch in less than a week. But Kandek doubted Microsoft had much warning, citing the CVE identifier's assignment date.

ZDI's listing of upcoming advisories -- those for bugs it has reported to vendors -- included 10 for Microsoft with "Anonymous" as the researcher.

The most recent match was reported to Microsoft on July 24, 2012, said ZDI, while the oldest was submitted May 25, 2011. Others between those two dates were logged on July 16 and March 14 of this year, and on Nov. 29, 2011.

If the newest was the one reporting CVE-2012-4969, Microsoft knew of the IE zero-day for more than seven weeks before Eric Romang, the researcher who announced finding an exploit on a hacker-controlled server, disclosed his discovery Sept. 15.

Romang also noticed the ZDI attribution in MS12-063.

"So, [to be] clear, this mean[s] that this vulnerability was discovered by another researcher, previous [to] my discovery, reported to ZDI, [which] then reported it to Microsoft," said Romang in a Saturday post to his personal blog.

HP TippingPoint runs its ZDI bug-bounty program to create protection signatures for its HP Digital Vaccine customers, who use them in their IPS (intrusion prevention system) hardware.

Another clue to an early warning of the IE vulnerability comes from IE10, the version bundled with Windows 8, the OS upgrade already deployed by some users but set to reach retail Oct. 26.

Last week, Microsoft repeatedly said that IE10 was not vulnerable, with Elia Florio of the MSRC engineering group asserting on Thursday that, "Internet Explorer 10 is not affected."

Microsoft finalized IE10 at some point before Aug. 1, when it announced Windows 8 was ready for distribution to customers and computer makers.

It's possible, said Andrew Storms, director of security operations at nCircle Security, that Microsoft patched IE10 with information from ZDI, but was still in the testing stage for other versions of the browser. Another alternative is that Microsoft inadvertently fixed the flaw by changing IE10's code for other purposes.

Storms gave each a 50-50 chance of explaining IE10's invulnerability to the zero-day bug.

But there's another plausible reason: One of IE10's new security features blocked exploits, even though the browser remained unpatched.

Florio's vague wording -- that IE10 "is not affected" -- does not explicitly state that the browser has been patched, leaving the third option on the table.

Security experts brought up other concerns, too, namely that hackers may be "reverse engineering" HP's Digital Vaccine IPS signatures to find flaws in Microsoft's code, information that they then use to craft their zero-day exploits.

Robert Graham of Errata Security theorized that that could explain the connection between ZDI's report and the use of the CVE-2012-4969 vulnerability by hackers before it was patched.

"Many IPS vendors include [zero]-day protection, 'virtually patching' vulnerabilities in the IPS before the real patch is announced," said Graham in a Friday blog post. "That means hackers can simply reverse-engineer an IPS in order to get a constant feed of [zero-]days from the signature updates."

Romang, however, went further. Like Graham, he said reverse-engineering may explain the link between ZDI and the zero-day. But he also wondered if ZDI had leaked, whether purposefully or accidentally, the technical details of the CVE-2102-4969 bug.

Last month, a Java zero-day vulnerability was exploited by the gang that controlled the server Romang had uncovered Sept. 15. Like the IE bug, the Java flaw was a zero-day -- there was no immediate patch. And like the IE vulnerability, the one in Java had been reported by ZDI.

Oracle shipped a very rare out-of-band update for Java at the end of August to stymie attacks, which were quickly gaining momentum.

HP TippingPoint did not reply to a Saturday request for comments about Romang's leak speculation.

Windows users can obtain MS12-063 via the Microsoft Update and Windows Update services, as well as through the enterprise-grade WSUS (Windows Server Update Services).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


Show Comments