The company released a security fix in less than three days

Sep 24, 2012 06:58 GMT  ·  By

Microsoft released the long-awaited Internet Explorer patch on Friday and, while everybody praised the Redmond-based software giant for reacting so quickly, security experts are claiming that the company knew of this bug since July.

Microsoft mentioned in the MS12-063 security bulleting that this critical security issue was found in Internet Explorer by an anonymous researcher working with TippingPoint’s Zero Day Initiative, but it didn’t mention the exact date of the report.

“Microsoft thanks [...] an anonymous researcher, working with TippingPoint's Zero Day Initiative, for reporting the execCommand Use After Free Vulnerability (CVE-2012-4969),” the company said in the blog post.

The ZDI website, on the other hand, displays a total of 10 reports sent to Microsoft, all marked with Anonymous in the researcher field. The most recent is dated July 24, 2012, which means that Microsoft hasn’t received another report from ZDI since that date.

"[The early warning] helped Microsoft get the patch out so quickly," said Wolfgang Kandek, CTO of Qualys, according to ComputerWorld.

Eric Romang, the one who found an exploit in Internet Explorer 9’s bug and informed Microsoft about it, also mentioned in a blog post that there’s something fishy about the company’s quick reaction.

“So, to be clear, this means that this vulnerability was discovered by another researcher, previously to my discovery, reported to ZDI, which then reported it to Microsoft. Hum… Microsoft didn’t yet provide the ZDI reference and ZDI also don’t has communicate around it,” he wrote.

“If CVE-2012-4969 was reported to ZDI, by an anonymous researcher, the vulnerability was known by Microsoft since minimum 1 month, a maximum of 462 days, an average time of 168,4 days…”

In addition to the Internet Explorer 9 patch, Microsoft also rolled out a patch to fix an Adobe Flash security flaw found in the IE 10 version bundled into Windows 8.