It has emerged that the flaw that Microsoft yesterday patched that is being used by hackers to attack Internet Explorer (IE) users may have been reported 18 months ago or more.
In the security advisory it issued yesterday, Microsoft credited a pair of researchers - Ryan Smith and Alex Wheeler - with reporting the bug. Smith and Wheeler once worked together at IBM's ISS X-Force, although Wheeler now is at Texas-based 3Com's TippingPoint DVLabs.
Wheeler confirmed that he and Smith uncovered the vulnerability, but he gave most of the credit to Smith. Wheeler declined, however, to say when the bug was reported to Microsoft.
"I don't feel comfortable talking about that," he said, citing a non-disclosure agreement related to the vulnerability that he signed at the time. Instead, he steered questions to his former employer, ISS X-Force.
"But we worked on it prior to my time with TippingPoint," Wheeler acknowledged. Wheeler, who is the manager of DVLabs, started at TippingPoint in January 2008.
The CVE (Common Vulnerabilities and Exposures) number for the vulnerability - CVE-2008-0015 - points to a possible early 2008 reporting date. According to the database, the CVE number was reserved on December 13, 2007.
ISS X-Force was not immediately able today to confirm a reporting date for the vulnerability, but the security firm did note in its own advisory, also published Monday, that hackers have been exploiting the bug since at least June 9, 2009, nearly a month ago.