back to article MS Zero-day security bug was two years in the making

A flaw in Office Web Components which Microsoft fixed on Tuesday was first reported to the software giant over two years ago, it has emerged. The time taken to release a patch has security vendors speculating that Redmond's security gnomes only got around to fixing the software flaw at all because hackers have begun exploiting …


This topic is closed for new posts.
  1. Bilgepipe


    So much for M$ strutting around the Internet pointing out other peoples' security flaws, and all that other Security Lifecycle malarkey. People in glass houses.... but then who really thought they had turned over some kind of security new leaf, eh?

  2. Kev K
    Thumb Up

    only 2 years ?

    *nix last one was 8 years :P

  3. Rob Dobs

    Here is your FAIL M$ fanboys

    2 years - massive FAIL!!!! This is what using M$ and its proprietary poorly coded software gets you.

    Did i mention FAIL!!. Thanks M$, just when I though that Linux kernal bug (fixed in a day or two of reporting) might hurt the Linux reputation (with the masses) M$ steps in and saves the day. Two years to fix a critical exploit .... Nuff Said!

  4. Lionel Baden

    can we have a hardhat icon

    MS is gonna need it from the thus forth comming comments :)

  5. Xander
    Dead Vulture


    When did this place start hiring skiddies?

  6. Pink Duck
    Black Helicopters

    It's all a conspiracy

    It wouldn't surprise me if these large companies had contractual agreements with national security agencies to reveal a number of known exploits of their software that they've discovered or been informed about, while delaying the fix until public exploitation, with considerable money in return. Compare that to the cost of fixing and testing the issue with an ever increasing number of products and suddenly there are 2 year waits for consumer patches.

  7. Richard Bishop

    At least they can't sell their buggy software now

    With Microsoft unable to sell M$ Word surely that means that there are less people being exposed to this kind of thing?

    Maybe a judge should pass a ruling banning them from selling any software - the world would be a much better place!

    Surely though, it doesn't take two years to work its way through M$ before a fix is released - Apple managed it in 24 hours with the iPhone SMS exploit! Long live Steve!

    <-- Stop, because Microsoft had to.

  8. RW

    @ Richard Bishop

    Quoth he: "Surely though, it doesn't take two years to work its way through M$ before a fix is released"

    Surely it does.

    I'm sure many of us have seen the situation where Person A gets Job B and does okay in that job for a fairly long time. But life being what it is, Job B slowly mutates and ratchets itself up the complexity scale until Person A is over her head in it.

    Microsoft impresses me as being similar: they're still the same company they were, say, 20 years ago, but their corporate culture, management methods, programming practices, none of their operating practices are up to the demands of contemporary software development and usage.

  9. Anonymous Coward
    Thumb Down


    A zero-day vulnerability is one which the application vendor is not aware of, which is being exploited.

    If the application vendor knew about it for 2 years, but did not fix it, it is by definition NOT a zero-day vulnerability. The days start counting from when the vendor becomes aware of the vuln.

  10. Rob Dobs

    @ Kev K

    Sorry Kev, That Linux (not Unix mind u) bug was fixed in a matter of days. Yes it has been around in the code for 8 years, but it was fixed almost immediately after it was reported. MS bug was around before 2 years, ago, the important factor here is that M$ took TWO YEARS AFTER it was reported to fix it. I'm sure there are still non-publicly disclosed bugs in any OS, but Linux has shown that they tend to have less bugs, the bugs are usually less damaging (requiring a user account to already be compromised like the 8 year one above) whereas the typical windows exploit is usually achieved with malformed code (buffer overflows) or simply visiting a web site, or playing a movie file.

    @ Pink Duck ... interesting, but applying the most simple explanation; I think they are just that bad at what they do. Plus actual criminal risk if caught would be VERY high, and they get the same benefit by just being dumb.

  11. Anonymous Coward


    Couldn't they have bundled a patch for this with some other updates at some point in the last two years? Is it that hard? Maybe not enough programmers to write a patch, with laying off a bunch of people while the company is still making money hand over fist?

  12. Ru

    @Kev K, Re: *nix last one was 8 years :P

    Please show the advisory that was announced for this flaw eight years ago.

    Oh, wait.

  13. Richard 102

    @Pink Duck

    While we're getting the hardhat icon, can we also have a tinfoil hat icon?

  14. sage


    The Linux one might've existed for 8 years, but it wasn't found and reported until recently, and the got patched within a day or two. The MS one was found and reported over 2 years ago, and is just getting patched now. That's not quite the same.

    Furthermore, in order to exploit the Linux one, you had to have access to the computer itself. For the MS one, it's a web component, so you only need access to the internet. Again, not quite the same.

  15. mr.K


    "A zero-day vulnerability is one which the application vendor is not aware of, which is being exploited.

    If the application vendor knew about it for 2 years, but did not fix it, it is by definition NOT a zero-day vulnerability. The days start counting from when the vendor becomes aware of the vuln."

    I have a list of question regarding that claim:

    1. Who decide what is the official and true meaning of a new expression? Are there some sort of official institute that keep a list or something? If so, could you be so kind as to direct me to it?

    2. If unable to answer on the previous question: Are you able to present to me some sort of statistics or numbers that the common usage of the expression are in majority what you claim it means, and under no circumstances could have additional meaning?

    3. Regardless of whether you are correct or not: Why do you feel a need to address this, and what is the purpose to it?

    4. Do you feel that your comment adds value to the article and its comment section?

    Mine is the one with AA (Anal Anonymous) membership card in the pocket. We like to pick on people picking on others.

  16. asdf Silver badge

    Mozilla fail

    How come the list of other vendors who have critical bugs outstanding over a year only included one pure open source outfit - Mozilla? I love and use firefox and all but the writing on the wall lately does not look good for its long term future. First the fact that the big open source exploiters (charged word but meh) Google and Apple (between two of them talking massive resources obviously) chose to use webkit (originally khtml engine but heavily modified) instead of gecko (firefox engine), as well as the longer times to patch critical bugs by mozilla might mean Mozilla won't be the dominant open browser long term. Oh well competition even in open source is good and with a quarter of the sheeptards still using IE6 (even M$ disgusted with the situation they directly caused) either is 100x times better in every way.

  17. SoltanGris

    Pink Ducks

    Despite suggestions otherwise, Pinkduck is correct to suspect.

    One need not study espionage and signals intelligence operations of nation states for long

    to realize such is going on behind your collective backs. It isn't just the USA and NSA by the way.

    Plenty of shenanigans to go around. Not to worry.

    Nothing to see here , move along now.


    Oh, for those interested in reading on this such sort of thing a good place to start, though not end, is Peter Bamford 'The Puzzle Palace' though I do understand later works are about.

    Reading up how the Allies won the 2nd World War by using shenanigans and signals intel might lead you to led further down the path of paranoia..

    Interesting history.

    Meanwhile, you could just ignore all that. Just I'd advise not plotting world domination using your PC or networked devices.


  18. DZ-Jay

    Re: @Zero-day?

    I'm mr.K, if the vendor and the security community (at least the organization who reported the bug) knew about it for two years, then it is most definitely *not* a zero-day vulnerability, but more like a 730-day vulnerability (not accounting for a leap-year within those two).

  19. amanfromMars 1 Silver badge

    For Flying Pink Elephants....

    "Meanwhile, you could just ignore all that. Just I'd advise not plotting world domination using your PC or networked devices.

    Cheerio." .... By SoltanGris Posted Sunday 16th August 2009 03:19 GMT

    Hello. I'd like to advise that nowadays plotting world domination without the use of the humble ubiquitous PC or networked devices is to Guarantee and Invite Failure and mounting future problems which will be targeted for resolution/binary blasting with PCs and networked devices.

    This is what is possible today, and it was Registered two days ago too ...... "If you are in Denial and Disbelief of SMARTer Third Parties building with AI ProgramMING an Altogether Fundamentally Different New World Order with Cloud Control for Virtually and Vitally Important Operating Systems, do such Elemental First Party Failings Present and Guarantee Unconventional and Irregular Forces, Perfect Future Intelligence Stealth for Great Game TakeOvers and Big Picture MakeOvers." ..... but failed ITs Sensitive Subjective Peer Review Test for Comment Publication on El Reg, but IT is Vital Virile Viral Information for Any and All Quantum Communications Control Systems for the Virtualised Environment and ITs Cloudy GUI Power Distribution Layers/Levels/Desktops...... All Singing All Dancing Laptops.

    And One Virtual Machine to Control and Power them All? Which would be a Fool Question and QuITe Preposterous Impossible Notion to Most Everybody but merely a Noble Nobel Work in Progress to the Next Higher Levels of Confusion and CompleXXXX Simplicity for a Few Master Pilots ......... Per Ardua ad MetaAstra.

    Given the Massive Server Store of Public Flight Information on such Matters, deposited freely with the Register, it would not be something which can be denied and/or disputed.

  20. mwray59

    Zero Day Bug how about 730 day bug

    There really should be some guidelines in place that limit the amount of time it takes to fix these bugs. The more time they are out there being exposed the more time the hacker/cracker or anyone else for that matter has to exploit millions of computers. With all the cyber attacks lately you really would think IT security would notch this up as a main priority.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019