This article is more than 1 year old

Microsoft knew of nasty IE bug a year before attacks

Security delayed or security denied?

'Not so much a coincidence'

The fix Microsoft issued Monday kills 49 45 CLSIDs related to the vulnerable ActiveX control (for a video feature known as DirectShow), 48 44 more than are currently being targeted, Reavey said. At the same time, Microsoft engineers "had to make sure that we didn't unintentionally kill something that did have a known use."

Reavey went on to say the timing of the advisory "is not so much a coincidence as we we have been working on it since 2008 and these attacks cover some of that work and so we were able to move fast and address what we know bad buys are using right now."

His comments lay out the awesome responsibility that comes when you're the maker of an overwhelmingly dominant operating system and you find critical vulnerabilities in it. Issue a fix too soon and you make matters worse. Spend a year investigating, as Microsoft did in this case, and attackers may flood the world with exploits before you get a chance to issue a patch through normal channels.

That's too bad because many of the pages preying on the exploit reside on well-trafficked websites, mostly operated by legitimate organizations based in China. Some researchers are comparing the DirectShow vulnerability to the one that touched off the Conficker worm, believed to have compromised millions of Windows PCs. Both have the ability to infect a large base of users quickly, they warn.

A year to investigate a bug that later turns out to be easily exploitable seems like a long time to us. These attacks have been under way since early June, according to security experts. Had the company been able to push out a fix during its regular patch cycle, it would have prevented the exploitation of untold numbers of Windows users who did nothing more than browse to the wrong website.

But that's not how Ryan Smith, one of the researchers who discovered the bug, sees things.

"The actual mechanics of the vulnerability aren't standard and that's kind of what took Microsoft so long," he said in an interview. "They were definitely working diligently to fix the problem. It was more the nature of the flaw that took so much time."

Smith, who now works for security firm iDefense, says he's not at liberty to discuss the specifics of the bug, although he says there will be additional details offered during a talk he and two other researchers plan to give later this month at the Black Hat security conference in Las Vegas.

What he can say is that he received regular updates from Microsoft throughout that time.

"They're one of the best vendors to work with," he said. "A lot of vendors won't give you any information. Microsoft was very forthcoming with the details."

What shouldn't get lost in this controversy is the simple fact that now, no one has to be bitten by this ugly bug. If you use any flavor of Windows XP or Windows Server 2003, you should immediately hit this link and click on the Fix it icon to enable a workaround. It's quick, painless and crucial, given all the time that's already been lost. ®

More about

TIP US OFF

Send us news


Other stories you might like