Feeds

MS Zero-day security bug was two years in the making

Fix only followed exploit

Beginner's guide to SSL certificates

A flaw in Office Web Components which Microsoft fixed on Tuesday was first reported to the software giant over two years ago, it has emerged.

The time taken to release a patch has security vendors speculating that Redmond's security gnomes only got around to fixing the software flaw at all because hackers have begun exploiting it over recent weeks.

The arrival of the MS09-043 patch addressed a zero-day flaw that had become the fodder of drive-by download attacks from malicious web pages. The patch addressed four vulnerabilities in Office ActiveX control in total, including the zero-day flaw. Users previously had to rely on workarounds published by Microsoft in a July advisory.

The 0day security bug was discovered by researcher Peter Vreugdenhil and first reported to Microsoft in March 2007 via the TippingPoint's Zero Day initiative scheme, which pays researchers for security exploits.

TippingPoint uses this information to add signature detection against exploits based on the bug to its intrusion protection products. It also passes along the information to the relevant software developers, in this case Microsoft.

Responding to question on the long delay, ZDI manager Pedram Amini told heise Security, "they [Microsoft] kept finding the need for more time to ensure the issue was completely addressed".

TippingPoint is not one to rush vendors in general. Other security vendors, such as F-secure, remain puzzled about why the fix was so long in development.

A list of pending notifications from TippingPoint reveals that many vendors are yet to release fixes for "high" severity flaws a year after they were notified of a problem. Five such flaws are queued with Redmond, but Microsoft is in good company. CA, HP, IBM, Symantec, Mozilla and Adobe are also yet to release fixes for serious flaws they were informed about more than a year ago. ®

Bootnote

The buggy component in question here is a spreadsheet ActiveX control. The issue shouldn't be confused with Microsoft's patch for a buggy video ActiveX control, released in July. That update also addressed a zero-day bug but one Microsoft had known about for only a year, compared to two years in the latest case.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches
CloudPassage points to 'pervasive' threat of Bash bug
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.