Chinese hackers dig into new IE bug, says Google researcher
Microsoft asked Google security engineer to delay release of fuzzer, other information because of 'PR concerns'
Computerworld - An accidental leak may have confirmed Chinese hackers' suspicions that Internet Explorer has a critical unpatched vulnerability, a security researcher said Saturday.
Sunday, Microsoft said it was analyzing the vulnerability.
The bug was one of about 100 found by noted browser vulnerability researcher and Google security engineer Michal Zalewski using a new "fuzzing" tool. The vulnerabilities were in IE, Firefox, Chrome, Safari and Opera.
"I have reasons to believe that the evidently exploitable vulnerability [in IE] discoverable by cross_fuzz is independently known to third parties in China," said Zalewski, referring to the "cross_fuzz" fuzzing utility he created.
According to Zalewski's account, a developer working on WebKit -- the open-source browser engine that powers both Apple's Safari and Google's Chrome -- "accidentally leaked" the location of the then-unreleased fuzzing tool. Google's search engine then added that location to its index.
"On Dec. 30, I received ... search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files," Zalewski said.
Those searches were looking for information on a pair of functions in "Mshtml.dll," IE's browser engine, that Zalewski said were unique to the vulnerability, and that had "absolutely no other mentions on the Internet at that time."
The person or persons searching for the functions then downloaded all the available cross_fuzz files.
"[This] is very strongly indicative of an independent discovery of the same fault condition in [IE] unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski said.
Zalewski released cross_fuzz on Saturday, even though Microsoft had not yet patched any of the IE flaws. Other browser makers, including Mozilla and Opera, as well as the WebKit team, have fixed some -- although not all -- of the bugs Zalewski found using cross_fuzz.
Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.
"Since [Microsoft has] not provided an explanation as to why these issues could not be investigated earlier, I refused [the request to hold the release]," Zalewski said in a Jan. 1 post to the Full Disclosure mailing list.
In a detailed timeline of his communiqués to Microsoft, Zalewski said he had first reported his findings and provided an earlier version of cross_fuzz in July. According to Zalewski, Microsoft did not reply until he told them on Dec. 20 that he was planning on revealing the fuzzing tool in early January.
On Dec. 21, Microsoft told Zalewski that its security response center had begun composing a reply last summer, but never sent it after failing to reproduce his findings.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts