Microsoft Knew of IE Zero-Day Flaw Since September

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.
The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

The patches are included in the critical MS10-002 bulletin.

The vulnerability used in the attacks (CVE-2010-0249) was privately reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

The vulnerability is described as a remote code execution issue in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.

  • An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Even if you don’t user Internet Explorer for regular Web browser, it’s important for Windows users to apply this update immediately.  That’s because the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file.

“Customers would have to open a malicious file to be at risk of exploitation,” Microsoft’s Bryant said, urging users to disable ActiveX controls in Microsoft Office.

Suggested articles

Discussion

  • Anonymous1 on

    So, microsoft knew about this since last September.  Why did they wait so long knowing that this was a zero-day flaw to patch it?  (oh, wait... google had the guts to announce it to the public, maybe this is why it was scheduled to be fixed "next month".)
    It seems like microsoft is making stuff with out really checking it for bugs/vulnerabilities (nor are they listening to people that are trying to help them).  This is why I use Fire fox, its less of a headache. 

  • Anonymous on

    I agree, Microsoft's recent track record for vunderabilities and patch time has been pretty bad....

  • Anonymous on

    Who thinks this might speed up Google's implementation of their own OS? Working for non-profits I have had a lot of success moving them away from Windows dependency by reimaging systems to Linux, using Mozilla, and teaching them to use OpenOffice applications. Only in one instance did any system come back because they needed to have a Windows or Mac, so we built a Mac VM as a workaround.

    I personally think Windows has some nice ideas, but implementation of those concepts and reaction to market needs (operational or security-based) has become a ball and chain to the company.

  • Mike on

    Just another reason I refuse to use IE - it's completely boring and prone to attack.

  • Jason on

    It wasn't a zero-day exploit in September, it was simply something that needed to be patched and was in teh queue, at the time it was lower priority, when it was exploited it became a higher priority and was patched. That's no different than every other browser out there. Exploits are prioritized and patched.

    What is even more concerning is that websites are continuing to be hacked to exploit thes and other flaws in the browsers. Be it direct hacks of sites or through ad networks.

  • Sam on

    So Jason you're saying microsoft has so many security bugs they already know about but haven't fixed that when they find/are told about a bug that opens up a "visit random web site, and with no user interaction the machine is completely taken over" hole the earliest they can fix it is in 5 months time.

    Just how many bugs *more serious* that this do they already have scheduled in front of it?!?

     

     

  • Anonymous on

    Actually, August. The underlying issue is CVE-2010-0248 [ http://www.zerodayinitiative.com/advisories/ZDI-10-014/ ]. They knew about the underlying refcount issue then, and there are many ways to exploit it, only one of which is CVE-2010-0249. It was first discovered by Peter Vruegdenhil.

    They may not even all be patched now.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.