Did Microsoft know about IE bug for months?
July 9, 2009 by Sam NarisiPosted in: In this week's e-newsletter, Latest News & Views
Could Microsoft have prevented the recent Internet Explorer attacks that experts are comparing to Conficker?
A software vulnerability being used by hackers to attack Internet Explorer users may have been reported to Microsoft over 18 months ago.
In a recent security advisory, Microsoft credited a pair of researchers, Ryan Smith and Alex Wheeler, for discovering and reporting the bug.
The researches say they discovered the bug while working together at IBM’s ISS X-Force. Although they wouldn’t comment on when they alerted Microsoft to the bug, Wheeler says he left ISS X-Force in January 2008. This suggests the pair told Microsoft about the vulnerability at least 18 months ago.
Microsoft hasn’t commented on when it was told about the vulnerability, or why it hadn’t patched it earlier. The company’s promised a patch, but has yet to commit to a delivery date.
FinanceTechNews.com delivers the latest Finance news once a week to the inboxes of over 150,000 Finance professionals.
Click here to sign up and start your FREE subscription to FinanceTechNews!
Tags: Microsoft, security, Software, software bug
March 8th, 2010 at 1:09 pm
Microsoft has been told about critical vulnerabilities in IE since the release of IE 4.0 and ActiveX controls. A site called Ultraviolet.org not only posted warnings, but also posted a number of demonstrations of how dangerous these “features” could be, including one that made your hard drive permanently unreadable (along with warnings NOT to run the demonstration on a drive you wanted to keep).
Microsoft’s solution to this, and several other similar disclosures was simple, they got court injunctions ordering the sites to take don’t all of this information. Microsoft argued that the publication of such information encouraged hackers to attack using these vulnerabilities. The sites were shut down, but Microsoft never closed those “back doors”, and in fact has added even more back doors to various other applications as well.
Linux and Unix have benefited from such disclosures for years. Often, even “theoretical” bugs and vulnerabilities are fixed before they can actually be exploited.