Microsoft was aware months ago of a critical security vulnerability well before hackers exploited it to breach Google, Adobe and other large U.S. companies but did not patch the hole until Thursday.

The software giant had intended to release a patch for the flaw in February – more than four months after learning about it – but had to speed up that plan and roll it out this week in the wake of news that Google and others had been hacked through the flaw, the world's largest software maker acknowledged Thursday.

Meron Sellen, a security researcher at BugSec, an Israeli firm, quietly reported the vulnerability to Microsoft in September, according tosecurity firm Kaspersky.

Microsoft confirmed it learned of the so-called "zero-day" flaw months ago.

According to Microsoft, "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The flaw, which primarily affected IE6, allowed hackers to download malware to employee computers to gain access to intellectual property at Google, as well as information connected to Gmail users. It's unknown what the hackers obtained from some 33 other companies – hi-tech, financial and defense – that were also targeted in the attack.

Although Microsoft recognized the severity of the flaw at the time Sellen reported it, the company held off releasing a patch so it could be included in a cumulative update for IE planned next month, the company said.

A zero-day flaw is a vulnerability for which there is currently no patch. It's also a flaw that is generally unknown to the software vendor, which gives hackers who may be aware of the flaw a jump on developing malware to exploit it.

It's unknown if other companies were breached through the flaw prior to the high-profile hacks disclosed last week. Most companies are unwilling to acknowledge a breach, let alone provide public details about how they were hacked.

Google disclosed last week it discovered in mid-December that it had been hacked in an attack originating from China, about three months after Microsoft learned of the vulnerability. Adobe followed Google, announcing it, too, was hacked. Security firm iDefense said it had information that at least 34 companies were breached in the coordinated attack.

On Thursday, meanwhile, Microsoft released a cumulative security update for Internet Explorer that fixes the flaw, as well as seven other security vulnerabilities that would allow an attacker to remotely execute code on a victim's computer.

“Our investigation into this responsibly reported vulnerability began early September," Jerry Bryant, senior security program manager for Microsoft, said in a statement. "As part of this investigation we began working on an update to help protect customers. We became aware of the recent attacks in mid-January and as part of our investigation determined the vulnerability being used in these attacks was similar to the one investigated in September."

Photo: FastJack/Flickr

See also: