Critical IE Fix Released; MS Knew of Flaw Months Ago

Microsoft has admitted it knew about the latest Internet Explorer zero-day flaw more than three months ago, news that's likely to prompt criticism about the way the firm prioritizes security issues.

The bug, which involves an invalid pointer reference, was first reported to Microsoft by Israeli security expert Eyal Gruner on August 26. He says that because it was so easy to discover the vulnerability, he expected less scrupulous people would also find it and develop ways to exploit it.

MS Confirmed Flaw in September

Microsoft says it received this warning and confirmed it in early September. It says that investigating the recent attacks showed that they exploited the same issue that Gruner reported. (Source: technet.com)

Those attacks were particularly high-profile, as they included a breach of Google in China in an apparent attempt to access the emails of political activists. It later emerged that this was likely part of a series of attacks on major corporations carried out over the Christmas holidays.

Bug Fixing A Lengthy Process

Microsoft hasn't explained why it took so long to fix the problem, but another security researcher says the delay isn't out of the ordinary given the process Microsoft goes through when assessing a security risk, developing a solution and releasing the update. It appears the fix was already in the works and scheduled for a February release. (Source: computerworld.com)

With hindsight, of course, the issue could have been given priority over other bugs so that a fix was released immediately. But deciding whether to do that involves considering how easy a bug is to exploit, how serious the effects can be, and whether the bug is known among hackers.

Microsoft Releases Critical IE Fix Jan 21st

The out-of-cycle update released sometime yesterday contains a total of eight fixes for Internet Explorer.

It appears almost certain the other bugs fixes issued in this update were scheduled to be fixed in the next regular monthly 'Patch Tuesday' on February 9th and that Microsoft decided it made sense to release them all now to avoid users having to patch the browser twice. The February 9th update will of course go ahead with the remaining security fixes for other applications and Windows itself, plus any software updates.