Microsoft: 2 year response to critical 0-day hole
It turns out Microsoft has known about the critical security vulnerability in its Office Web Components (OWC), which was fixed last patch day, for more than two years. Only since it has been actively exploited has the behemoth sprung into life and, within a month, released a patch.
The Zero Day Initiative (ZDI) reported the security problem, discovered by Peter Vreugdenhil, to Microsoft back in March 2007. ZDI told Microsoft that crafted parameters when calling msDataSourceObject() could lead to memory management errors that could be exploited by an attacker to inject and execute code. For a long time, precisely nothing occurred in response to the problem, or at least nothing that was going to protect users from the consequences of the problem.
ZDI has confirmed these dates in its advisory, published yesterday. ZDI manager Pedram Amini told The H's associates at heise Security, "they [Microsoft] kept finding the need for more time to ensure the issue was completely addressed". It is one of ZDI's guiding principles that they allow vendors as much time as is necessary.
The software giant's behaviour changed at a stroke in July as it became clear that the vulnerability was being actively exploited on the web to inject malicious code onto Windows machines. Microsoft suddenly released an advisory on the vulnerability and announced its intention to introduce counter-measures as rapidly as possible. In less than a month this culminated in a patch which was included in MS09-043 and was released on Tuesday as part of the August patch day.
Microsoft's response to the question of why the company initially required so long for the patch before the public exploit, then managing a rapid reaction after, was a well-hedged "no comment". The response to heise Security's enquiries included "Every vulnerability ... is different", "The quality testing process itself can be lengthy" and "in some circumstances, [it] can take longer than would be ideal". Whether Microsoft can get away with this sort of response with today's customers remains to be seen.