Microsoft aware of zero day exploit for 7 weeks before emergency patch was issued?

We do know that the recent Zero Day exploit in Internet Explorer was patched by Microsoft (albeit this is but a temporary measure), but there are rumors going around that Microsoft was aware concerning this exploit for a good 7 weeks prior, and for a company of their size and stature to not do anything about it nor release a statement of caution to the masses reeks of irresponsibility – assuming that the rumors are true, of course.

An online source as reported by Gregg Keizer, said “Microsoft may have known about last week’s Internet Explorer (IE) zero-day bug for some time.” The security bulletin saw Microsoft issue thanks to “an anonymous researcher, working with TippingPoint’s Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability ( CVE-2012-4969).” Assuming that the latest report was CVE-2012-4969, one can then make the inference that Microsoft was already aware of the IE Zero Day exploit for over seven weeks before Eric Romang, the researcher who announced the discovery of the exploit on a hacker-controlled server, did so in the middle of September. Juicy stuff, but rumors remain as just that until they are substantiated by cold, hard facts.

Edwin Kee
Categories: Computers
Tags: internet explorer, Microsoft