MICROSOFT WAS MADE AWARE of the zero-day IE6 flaw five months before it released the ’emergency’ out-of-band ms10-002 patch to finally fix the problem yesterday. The release was hurriedly cobbled together to patch the hole in Internet Explorer that was thought to have given Chinese hackers, possibly working for China’s government, access to Google’s internal systems and human rights activists’ Gmail accounts.
The Vole acknowledged that it had known about the flaw when Meron Sellen, a white-hat hacker employed as a security researcher by Israeli firm BugSec, alerted Microsoft to the issue back in September last year. Jerry Bryant, senior program manager at Microsoft Security Response Center posted a blog update last night, confirming the story:
“As part of our investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September,” he admitted.
Microsoft had initially planned to release a cumulative IE patch as a part of its standard security patch cycle. It claims that its standard procedure is to have a six months quality assurance patch cycle so, despite the fact that Microsoft was made aware of the flaw by Sellen, it’s making the excuse that it was not unusual that it didn’t give punters a security update.
However, wall-to-wall coverage of the Chinese Google hack greatly expedited its early release.