Microsoft beat up, then defended over ancient IE8 zero-day

The strange story of how and when a Google researcher disclosed an IE bug

The war between security researchers (particularly from Google) and Microsoft is heating up, again, over an old bug in IE8 that was reportedly disclosed to Microsoft years ago. Once again, it seems like there aren't any good guys looking out for the users. On Friday, Google security researcher Chris Evans, in a fit of frustration over what he said was Microsoft's lack of action, posted a link to proof-of-concept code for the bug to the Full Disclosure mailing list.

This prompted Microsoft's Security Response team to Tweet an acknowledgment of the hole on Friday. It said,"We’re aware of a publicly disclosed issue involving Internet Explorer. We’ll continue to investigate over the weekend.6:52 PM Sep 3rd via web."

This Tweet prompted Computerworld's Gregg Keizer to write a story today, "Microsoft investigates two-year-old IE bug."

This prompted Jason Miller, data and security team manager from security patch vendor Shavlik Technologies to send journalists such as me an e-mail this afternoon defending Microsoft and declaring that nothing is a zero-day until the vendor confirms that it is. Miller said:

"The Microsoft Security Response Center tweeted last week about a possible zero day exploit with Internet Explorer 8. The reported vulnerability about an Internet CSS bug was publicly disclosed, but there have been no reports of attacks yet. As Microsoft is investigating this issue, we fully expect a security advisory to be released with this issue soon. Until Microsoft fully researches the issue, there are no actions that need to be taken with this issue. It is very important to wait for vendor confirmation with zero day exploits. Security researchers that publicly disclose vulnerabilities may not have all the information. We have seen this recently with publicly disclosed information that was not entirely correct. Vendor confirmation will provide administrators with precise information and actions they can take to help mitigate the risk."

The action that has been advised by the security researcher was to ditch IE8. And before we get into the rest of the bizarre history of this bug disclosure, let's also note that as of the time stamp on this blog post, end of day, Tuesday, MSRC has not posted a single additional syllable about that bug beyond its vague Twitter acknowledgment.

According to Evan's multiple blogs on the topic, and the research paper penned by him and the three Carnegie Mellon University researchers he credits with finding the bug, here's my summary of the problem, known as the "CSS cross-origin theft" bug.

If you send a pair of messages to a victim using a browser based e-mail or social networking application like Twitter, and you wait a spell between sending the first and second e-mail, and you can convince the victim to click on an evil link that abuses the CSS standards as implemented by the browser, you can see information about the user's messages received by the victim between the first and second message you sent. That info includes the subject line of an e-mail and could include the application's token/cookie that allows the user to access the inbox. A number of variables make this a difficult attack to pull off for all browsers but Internet Explorer, not the least of which is that other browsers have already patched against the problem. His proof of concept code hijacks a Twitter account.

Evans wrote about the hole in December, 2009. On August 2, Evans wrote about the attack again, reporting that it had been known among hackers since 2008, in a blog post "Internet Explorer considered harmful." He also fully indemnifies Web applications and finishes his post by saying, "Browsers are complicated pieces of software and will always have bugs. Time-to-fix therefore matters for a browser. If security is a factor in your browser choice, I recommend you look at Opera or Chrome. These browsers fixed this bug the fastest."

At the time Evans wrote that, however, Firefox and Safari had also patched the bug. Keizer notes that it will be fixed in IE9.

In any case, Evans said that he was posting his proof of concept to the Full Disclosure e-mail list because Microsoft was ignoring the situation. He wrote, "In an attempt to get this bug fixed... A nasty vulnerability exists in the latest Internet Explorer 8. I have been unsuccessful in persuading the vendor to issue a fix." He links to a research paper, with an October date, stored on Carnegie Mellon's Silicon Valley Web Security Research page. Although the PDF is already published, the paper won't be presented until the ACM Conference on Computer and Communications Security in Chicago which begins Oct. 4, the site and date on the paper infer.

I can buy that Microsoft was probably dragging its feet, when confronted with a researcher from Google reporting a soon-to-be presented hole. A recent report by IBM's X-Foce Team claims that Microsoft is the least responsive overall in fixing disclosed bugs. So far, in 2010, it has left 23% of disclosed bugs unpatched, with 7% of those rated critical or highly dangerous according to, well some source or another -- the report doesn't say. And its gathering methods are far from precise.

Indeed Google had originally come out as the worst offender in that same report, with a 33% unpatched rating because it had left 1 out of three bugs unpatched. Google complained, IBM revised its chart (Google is now listed as having zero unpatched bugs) and Microsoft became declared the worst offender. Ironically, despite putting Microsoft at the top of the list, IBM showed itself to be the least responsive of the lot. It failed to patch 9% of the reported bugs, but of those, 29% were considered critical or highly dangerous.

So, from this admittedly questionable research, it looks like Microsoft is ignoring a larger number of bugs (perhaps including those reported by Google researchers), but focusing on the ones that are the most dangerous.

Don't get me wrong. I'm not excusing or defending Microsoft. Two years is certainly enough time to fix a known bug, when all the other browser makers have done so. The report to be discussed next month even says, "To date, all published attacks of this type have required JavaScript, and most have been specific to Internet Explorer." The report then proceeds to explain how all other browsers but Internet Explorer create multiple situations that would stop the attack.

Interestingly, the report also discusses how Hotmail and Yahoo mail are susceptible while failing to mention Gmail, even though Evans makes it clear that it's not an issue with the application, but with the way the browser processes CSS.

Even more funky? In the acknowledgements, the report thanks two Microsoft Security Researchers (PDF, page 10) by name, for their help with the research: "Helen Wang, our shepherd, and Eric Lawrence of Microsoft." It documents some of the proposed fixes for the bug from Microsoft, too.

Which leaves me scratching my head. If Microsoft researchers were involved to the point of being thanked in the research paper, one of them even called a "shepard" and the report wasn't due to be presented until October 4, was Microsoft really ignoring one of the report's authors? And such lack of response necessitated going public with proof-of-concept code that puts IE users in harm's way?

Or not?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.