Microsoft may have known about critical IE bug for months

Researchers uncovered latest bug in 2007; Microsoft mum on timing

The vulnerability that sent Microsoft scrambling yesterday and is being used by hackers now to attack Internet Explorer (IE) users may have been reported 18 months ago or more.

In the security advisory it issued yesterday, Microsoft credited a pair of researchers -- Ryan Smith and Alex Wheeler -- with reporting the bug. Smith and Wheeler once worked together at IBM's ISS X-Force, although Wheeler now is at Texas-based 3Com's TippingPoint DVLabs.

Wheeler confirmed that he and Smith uncovered the vulnerability, but he gave most of the credit to Smith. Wheeler declined, however, to say when the bug was reported to Microsoft. "I don't feel comfortable talking about that," he said, citing a non-disclosure agreement related to the vulnerability that he signed at the time. Instead, he steered questions to his former employer, ISS X-Force.

"But we worked on it prior to my time with TippingPoint," Wheeler acknowledged. Wheeler, who is the manager of DVLabs, started at TippingPoint in January 2008.

The CVE (Common Vulnerabilities and Exposures) number for the vulnerability -- CVE-2008-0015 -- points to a possible early 2008 reporting date. According to the database, the CVE number was reserved on Dec. 13, 2007.

ISS X-Force was not immediately able today to confirm a reporting date for the vulnerability, but the security firm did note in its own advisory, also published Monday, that hackers have been exploiting the bug since at least June 9, 2009, nearly a month ago.

In fact, X-Force listed two separate vulnerabilities in its advisory, saying that the flawed Microsoft Video Controller ActiveX Library, or the "msvidctl.dll" file, not only contained the buffer overflow bug attributed to Smith and Wheeler, but also harbored a memory corruption vulnerability discovered by X-Force researcher Robert Freeman.

Microsoft did not respond to questions about when it was informed of the vulnerability, and if it was in late 2007 or 2008, why it had not patched the problem.

No matter when it was reported, the bug is serious, Wheeler said today. "This particular vulnerability is relatively easy to exploit in a reliable way, if that makes sense," he said. "Although it does require setting up malicious hosting servers to serve the exploit ... you have to go to a [malicious] Web page to be compromised."

Attack code hasn't been posted widely, Wheeler added, but it won't be hard for other hackers to duplicate what's already in the wild. "It will be relatively simple to do that," he said, "compared to what they have to choose from at the moment."

Yesterday, Microsoft not only confirmed ongoing attacks against IE6 and IE7 users running Windows XP, but also offered an automated tool that sets 45 different "kill bits" in the ActiveX control, effectively disabling it and rendering attacks moot.

But Wheeler suggested another option: switch browsers. "Unless they're specially configured, other browsers will face substantially lower risk," said Wheeler. Browsers such as Mozilla's Firefox, Google's Chrome and Apple's Safari don't rely on ActiveX technology to drive add-ons, as does IE.

"Any client-side vulnerability is serious," said Wheeler, "but of the range, this one is in the more serious range."

Microsoft has promised to patch Windows and/or IE, but has not committed to a delivery date. Its next regularly-scheduled security updates will be released a week from today, on July 14.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?