TippingPoint ZDI may have tipped Microsoft off to IE security hole two months ago
It has been suggested that Microsoft knew about the recent IE security flaw which hit its Internet Explorer browser last week, almost two months before it came to the attention of the experts.
The company released a Fix It tool to alleviate the problem ahead of the permanent “out-of-cycle” IE security update on Friday, and was praised for a fast response. However, the patch notes credit TippingPoint Zero Day Initiative (ZDI) for finding the flaw, and not Eric Romang who made it public on 15 September.
On 15 September, Microsoft acknowledged that an IE security flaw was being actively targeted for attacks using a previously unknown and unpatched vulnerability, after it was identified by Romang, a security researcher from the Metasploit project.
The vulnerability was present in Internet Explorer 9 and earlier versions. According to Microsoft, it “could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.” An attacker who successfully exploited this vulnerability “could gain the same user rights as the current user.”
The problem was so severe that the German government’s Federal Office for Information Security advised all users to temporarily switch browsers until a patch was ready.
Microsoft released a short-term solution by 18 September and an emergency security update by 21 September. In its patch notes, Microsoft thanked “an anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)”. However, the patch notes don’t specify when this vulnerability was discovered.
TippingPoint Zero Day Initiative (ZDI) is a bug bounty program operated by Hewlett-Packard, which helps develop Digital Vaccine Intrusion Prevention Systems (IPS).
According to ZDI’s own listings, the organisation submitted its most recent advisory from an “anonymous” researcher to Microsoft on 24 July. If that advisory contained information about the IE Zero-Day, the Redmond company had almost two months to come up with a solution.
Eric Romang, the researcher who had found the exploit on a hacker-controlled server, and disclosed it on 15 September, was surprised to see ZDI credited for the discovery.
“So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft,” wrote Romang on his blog.
He also said that “ZDI is a part of the zero-day exploit market, and that the principal objective of this market is to do money by selling 0days to interested persons or organizations.”
In a blog post on Friday, Robert Graham from Errata Security suggested that hackers may be “reverse engineering” HP’s Digital Vaccine IPS, which are created based on information collected by ZDI. This would explain how the vulnerability was discovered by the hackers in the first place.
According to PC Advisor, another clue to an early warning of the IE vulnerability comes from IE10. The latest version of the Microsoft browser was not threatened by the flaw, and according to Andrew Storms from nCircle Security, this could mean that it was already patched using information from ZDI.
Windows users can obtain MS12-063 via the Microsoft Update and Windows Update services, as well as through the enterprise-grade Windows Server Update Services.
Is Microsoft Office your friend? Take our quiz!