Microsoft admits it knew of the IE, zero-day ActiveX hole for months

Patch is "on track" for next Tuesday but MS recommends you don't wait for it

Microsoft this afternoon responded to accusastions that it knew about a critical IE ActiveX hole for as long as 18 months. The hole is being actively exploited by hackers. To its credit, Microsoft came clean and admitted it did indeed know since the spring of 2008. To its detriment, what's the point of asking researchers to come to you and report under non-disclosure bugs so you can fix them before the hackers find out if you don't fix them until after the hackers find out?

Timeline is this: On Tuesday, Microsoft warned users that the hole existed and that a patch was not available but that the workaround was simple and fairly harmless, to turn the vulnerable service off. Yesterday, researchers came forward to reveal that Microsoft had known about the bug for quite some time. While they didn't reveal the exact date, some detective work by Computerworld reporter Gregg Keizer indicated that the bug was reported to Microsoft in early 2008. Microsoft today confirmed it was reported in spring of 2008.

The following sounds like a defense, but before you flame me, please know that I'm only paraphrasing Microsoft's blog post on the topic and there's more than a little tongue-in-cheek going through my head as I type ... In any case: The excuse was that, as Microsoft was looking into a fix, hackers spontaneously found the bug and started using it. Plus it was a hard (really, really hard) bug to fix as the best fix seemed to be to disable the ActiveX service, which meant testing to ensure that turning it off wouldn't kill anything else. Worth noting that Microsoft had already turned if off in Vista.

If there is any good news to this mess, it is that Microsoft says it will finally have a patch ready and included in next Tuesday's round-o-patches. However, in the ultimate irony, Microsoft also says, don't wait for the patch. Mike Reavey writes in the company's Security Response Center blog:

"Customers who have already implemented the killbits manually or through the FixIt workaround won’t need to implement next week’s security update, though we recommend that you apply the update to ensure that reporting accurately shows that the systems are fully protected. We’re on track to release the security update next Tuesday. But if you haven’t implemented the killbits already, we recommend that you go ahead and do that to protect yourself against the attacks."

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Follow Microsoft Subnet on Twitter

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.