Microsoft did not act as quickly researchers thought when it patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.
According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed 'K4mr4n' posted attack code to the Bugtraq security mailing list on 20 November.
iDefense's Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published on Wednesday.
IE6 and IE7, two versions of Microsoft's browser that collectively accounted for approximately 39% of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat.
Three days after K4mr4n publicised the exploit proof-of-concept, Microsoft confirmed that the attack code worked, and issued a security advisory that provided some information about the bug. At no time, however, did it acknowledge it knew of the vulnerability, only going as far as to say it was investigating the issue.
Last week, experts agreed that it was unlikely Microsoft would be able make the December 8 deadline for the company's monthly Patch Tuesday. In fact, when Microsoft did patch the problem on Tuesday, Andrew Storms, director of security operations at nCircle Network Security, applauded Microsoft's speed. "That was record time for Microsoft, to patch in just two weeks," he said.
Storms and others based their bets on Microsoft's past track record. Historically, Microsoft has taken a month or more to deliver a patch for a publicly-disclosed IE vulnerability. On the rare times when Microsoft has issued an 'out-of-band' update - one outside its normal monthly schedule - it's done so because in-the-wild attacks were gaining momentum. Although K4mr4n's exploit was in circulation, security firms like Symantec had confirmed Microsoft's contention that actual attacks had not yet appeared.
There were signs that Microsoft had known of the flaw for longer than two weeks, however. It credited iDefense with reporting the bug in the MS09-072 security bulletin that included the IE6 and IE7 patch, a fact Storms noticed.
On Wednesday, Storms pointed out the iDefense reporting date to Computerworld's US sister title. "The IE zero-day that was fixed - Microsoft had six months," he said.