Researchers confirm Googler's Internet Explorer bug
French firm Vupen says Microsoft's browser vulnerable to drive-by attacks
Computerworld - French security researchers today confirmed the presence of a bug in Internet Explorer (IE) that's at the center of a spat between Microsoft and a Google security engineer.
According to Vupen, IE8 harbors a vulnerability that can be exploited to hijack a Windows system.
"A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system," said the French firm in an advisory published Wednesday.
Vupen said it confirmed the vulnerability and its exploitability in IE8 running on Windows XP Service Pack 3 (SP3), but believed it could also be leveraged on Windows Vista, Windows 7, Server 2003, Server 2008 and Server 2008 R2.
The security company rated the bug as "critical," its highest threat warning. In a follow-up tweet, Vupen said, "Reproducing was/is hard."
The bug was publicly reported last Saturday by Michal Zalewski, a Google security engineer, when he released a new "fuzzing" tool that had found more than 100 bugs in the five major browsers: Chrome, Firefox, Internet Explorer (IE), Opera and Safari. He also published a crash dump of one of the IE bugs he believed could be exploited.
Zalewski's release of "cross_fuzz" and the crash dump has sparked a skirmish between him and Microsoft.
The latter has claimed that even though its engineers have had the fuzzer since July, they were only able to identify the vulnerability Dec. 21, 2010, when Zalewski provided a newer version of the tool.
Zalewski has disputed that in a detailed timeline of the back-and-forth with Microsoft. Earlier this week he said he released cross_fuzz and the crash dump because Chinese hackers were already probing for information on the bug, and because Microsoft had not responded for months to his bug report.
Vupen identified the IE vulnerability as a "use-after-free error" within "mshtml.dll," the code library that composes the browser engine. Attackers could exploit the bug by enticing people to a malicious Web page -- a classic "drive-by" attack that compromises the browser as soon as it renders the page.
Microsoft has said it is investigating the IE vulnerability, but has not issued a security advisory or revealed its patching plans.
With the Vupen confirmation, Microsoft now has four unpatched bugs to work on, including a critical IE bug it acknowledged two weeks ago, a WMI Active X flaw in IE that went public at the same time, and a Windows vulnerability the company confirmed Tuesday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts