IE emergency patch issued, but rumors fly that Microsoft knew about 0-day for 7 weeks

With IE users fleeing and the world either ticked or laughing, Microsoft issued an out-of-band emergency patch for the Internet Explorer zero-day exploit. But rumors are flying that Microsoft may have known about the zero-day for about seven weeks. Others question if zero-days are being sold by TippingPoint's Zero Day Initiative. Yet others suggest that the IE and Java zero-days leaked from IPS and were reverse-engineered signatures.

Microsoft released an out-of-cycle emergency patch for the Internet Explorer zero-day exploit that put computers at risk of Poison Ivy infections, a type of malware that can steal data or take remote control of PCs.

Last week it seemed like everyone was jumping on the dump IE browser bandwagon, including the German government, which told all users to stop using Internet Explorer now. Softpedia poked fun by collecting 10 IE jokes like these three:

  • The only time you are allowed to use Internet Explorer is when you're downloading Chrome or Mozilla.
  • Microsoft CEO will personally apologize to the last remaining Internet Explorer user.
  • If Monday was a browser, it would be Internet Explorer.

With IE users fleeing and the world either ticked or laughing, Microsoft first issued an "easy-to-use, one-click, full-strength Fix it solution," but then on Friday the Mighty M apparently had little choice but to issue the emergency Security Update MS12-063. Yunsun Wee, director of Microsoft's Trustworthy Computing Group, said, "Today we released a security update to address the Internet Explorer issue impacting a small number of customers. While attacks have been limited, for increased protection, customers should apply the update as soon as possible if they do not have automatic updates enabled." The out-of-band patch "also resolves four privately disclosed vulnerabilities that are currently not being exploited."

Additionally, Microsoft released Security Advisory 2755801 to address issues affecting Adobe Flash Player in Internet Explorer 10 on Windows 8. Wee stated, "Microsoft released an update to help protect customers from vulnerabilities affecting Adobe Flash Player in Internet Explorer 10. We are working closely with Adobe to help protect our customers and deliver quality protections that are aligned with Adobe's s update process."

However, as Gregg Keizer reported, "Microsoft may have known about last week's Internet Explorer (IE) zero-day bug for some time." In the security bulletin, Microsoft thanked "an anonymous researcher, working with TippingPoint's Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969)."

Looking back at the Zero Day Initiative (ZDI) upcoming advisories, it may be the zero-day exploit was reported to Microsoft as long ago as July 24, 2012. Keizer reported, "If the newest was the one reporting CVE-2012-4969, Microsoft knew of the IE zero-day for more than seven weeks before Eric Romang, the researcher who announced finding an exploit on a hacker-controlled server, disclosed his discovery Sept. 15."

After reading Microsoft's acknowledgement, Romang blogged about how the "vulnerability was discovered by another researcher." He also questioned "if ZDI had leaked, whether purposefully or accidentally, the technical details of the CVE-2102-4969 bug." In an update to his post, Romang pointed toward an interesting article, "0-day leaks from IPS," by Errata Security's Robert Graham (@ErrataRob).

Graham wrote that Romang's post suggests "ZDI sells the 0-days. But it could also be that hackers are reverse-engineering TippingPoint signatures to get details." In a 2007 Black Hat presentation, Graham and Dave Maynor demonstrated "how easy it was to extract 0-day from IPS."

If there is a massive state-funded effort by the Chinese government doing these attacks (as many claim), then it's almost certain they've got TippingPoint boxes and are doing as much as they can to extract the latest 0day information from signature updates. The FBI threatened us trying to cancel our talk, claiming it was an issue of national security, presumably so that the Chinese wouldn't figure it out. We gave the talk anyway, because we felt the Chinese were already doing this, and it's something everyone needs to know about, and not something the FBI should try to hush up in order to protect TippingPoint's reputation. (I yelled at the FBI agents, calling them "corporate pawns", which felt dirty because normally I'm on the side of corporations).

Think back to the last Java zero-day. Keizer wrote, "Like the IE bug, the Java flaw was a zero-day -- there was no immediate patch. And like the IE vulnerability, the one in Java had been reported by ZDI." Is this a grand conspiracy theory like when many of us were quick to believe the leaked Apple UDIDs came from an FBI laptop? If it is true that there is a "link between ZDI and the zero-day," we'll surely being hearing more soon.  

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!