Microsoft knew of just-patched IE zero-day for months

From InfoWorld: Microsoft may not have hustled as fast as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed "K4mr4n" posted attack code to the Bugtraq security mailing list on Nov. 20.

iDefense's Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published Wednesday .

IE6 and IE7, two versions of Microsoft's browser that collectively accounted for approximately 39 percent of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat.

Three days after K4mr4n publicized the exploit proof-of-concept, Microsoft confirmed that the attack code worked , and issued a security advisory that provided some information about the bug. At no time, however, did it acknowledge it knew of the vulnerability, only going as far as to say it was investigating the issue.

View: Article @ Source Site