Chinese hackers dig into new Internet Explorer bug
#1
January 3, 2011 (Computerworld)

An accidental leak may have confirmed Chinese hackers' suspicions that Internet Explorer has a critical unpatched vulnerability, a security researcher said Saturday.

Sunday, Microsoft said it was analyzing the vulnerability.

The bug was one of about 100 found by noted browser vulnerability researcher and Google security engineer Michal Zalewski using a new "fuzzing" tool. The vulnerabilities were in IE, Firefox, Chrome, Safari and Opera.

"I have reasons to believe that the evidently exploitable vulnerability [in IE] discoverable by cross_fuzz is independently known to third parties in China," said Zalewski, referring to the "cross_fuzz" fuzzing utility he created.

According to Zalewski's account, a developer working on WebKit -- the open-source browser engine that powers both Apple's Safari and Google's Chrome -- "accidentally leaked" the location of the then-unreleased fuzzing tool. Google's search engine then added that location to its index.

"On Dec. 30, I received ... search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files," Zalewski said.

Those searches were looking for information on a pair of functions in "Mshtml.dll," IE's browser engine, that Zalewski said were unique to the vulnerability, and that had "absolutely no other mentions on the Internet at that time."

The person or persons searching for the functions then downloaded all the available cross_fuzz files.

"[This] is very strongly indicative of an independent discovery of the same fault condition in [IE] unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski said.

Zalewski released cross_fuzz on Saturday, even though Microsoft had not yet patched any of the IE flaws. Other browser makers, including Mozilla and Opera, as well as the WebKit team, have fixed some -- although not all -- of the bugs Zalewski found using cross_fuzz.

Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.

"Since [Microsoft has] not provided an explanation as to why these issues could not be investigated earlier, I refused [the request to hold the release]," Zalewski said in a Jan. 1 post to the Full Disclosure mailing list.

In a detailed timeline of his communiqués to Microsoft, Zalewski said he had first reported his findings and provided an earlier version of cross_fuzz in July. According to Zalewski, Microsoft did not reply until he told them on Dec. 20 that he was planning on revealing the fuzzing tool in early January.

On Dec. 21, Microsoft told Zalewski that its security response center had begun composing a reply last summer, but never sent it after failing to reproduce his findings.

"I have a conference call with MSRC [Microsoft Security Response Center]," Zalewski said in the timeline's note for Dec. 28. "The team expresses concern over PR impact, suggests that the changes made to my fuzzer code between July and December might have uncovered additional issues, which would explain why they were unable to reproduce them earlier."

A day later, Microsoft admitted it was now able to reproduce the fuzzer-found flaws using the July code.

"The IE team did exhaustively run the fuzzers but were unable to find the same crashes that you and Dave [of Microsoft] are now able to identify," Microsoft told Zalewski on Dec. 29. "I can't really say as to why we are able to hit some of these conditions now rather than before but please know that this was not intentional."

Microsoft's account omitted most of the details Zalewski provided, including the fact that it was able last month to reproduce the vulnerability using the fuzzer it had five months earlier.

"[In July], neither Microsoft or the Google security researcher identified any issues," said Jerry Bryant, an MSRC spokesman, in a statement Sunday. "On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version. We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable."

Microsoft and Google security researchers have crossed swords in the past. Last summer, Google's Tavis Ormandy released exploit code for a bug in Windows' Help and Support Center after he said Microsoft refused to set a patch deadline.

Fuzzing is a common research practice used to locate vulnerabilities and find flaws in code. A fuzzer automates the technique by inputting data into applications or operating system components to see if -- and where -- crashes occur.

The vulnerability that Zalewski reported and Microsoft said it was investigating is apparently unrelated to the unpatched IE bug the latter confirmed on Dec. 22.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Cookiejacking Exploit Hits Internet Explorer, Targets Your Login Info Mach 1 Club 3 15,204 06-01-2011, 03:20 PM
Last Post: Mach 1 Club
  Honda Hit by Hackers – Customer Info Stolen Mach 1 Club 0 7,204 01-03-2011, 04:26 AM
Last Post: Mach 1 Club
  UN mulls internet regulation options Mach 1 Club 0 7,375 12-18-2010, 08:51 AM
Last Post: Mach 1 Club
  Does the Internet Make You Smarter? Dumber? Mach 1 Club 0 7,951 06-06-2010, 06:16 AM
Last Post: Mach 1 Club
  The FCC should NOT regulate the Internet Mach 1 Club 0 7,368 05-19-2010, 05:48 AM
Last Post: Mach 1 Club

Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Latest Threads
What's One More Iron In The Fire!
Last Post: fram lee666
03-18-2024 06:21 PM
» Replies: 125
» Views: 238038
"Jacobra"
Last Post: JTS71 Mach1
06-30-2023 11:13 PM
» Replies: 86
» Views: 150593
My old Queensland Ambulance
Last Post: JTS71 Mach1
06-30-2023 11:08 PM
» Replies: 5
» Views: 1680
New member from San Jose, CA
Last Post: JTS71 Mach1
05-09-2023 08:39 AM
» Replies: 12
» Views: 3953
Saving Seatbelts
Last Post: Jim
02-19-2023 10:23 PM
» Replies: 2
» Views: 9108
Sourcing new wheels
Last Post: JTS71 Mach1
01-25-2023 02:34 PM
» Replies: 1
» Views: 1993
Shaker Air Filter
Last Post: JTS71 Mach1
01-08-2023 02:24 AM
» Replies: 3
» Views: 1465
1971 Mach 1 parting out interior parts -...
Last Post: ylwhrse
12-22-2022 01:38 PM
» Replies: 0
» Views: 640
Painting
Last Post: Rare Pony
12-14-2022 06:24 PM
» Replies: 2
» Views: 1964
WELCOME ALL NEW MEMBERS INTRODUCE YOURSE...
Last Post: JTS71 Mach1
08-31-2022 01:36 PM
» Replies: 82
» Views: 156997
1970 mach 1 matching numbers
Last Post: Kstweeter
08-31-2022 10:31 AM
» Replies: 1
» Views: 1086
Brake booster/servo hose length
Last Post: JTS71 Mach1
08-23-2022 09:40 AM
» Replies: 7
» Views: 2992
New Member
Last Post: JTS71 Mach1
08-20-2022 11:18 AM
» Replies: 2
» Views: 1497
smooth window operation on 70 Mach
Last Post: CUSTOMMISER
08-15-2022 12:10 PM
» Replies: 2
» Views: 1469
Blinkers on solid
Last Post: busted21
08-09-2022 03:58 AM
» Replies: 14
» Views: 8682
Blinkers on solid when lights on.
Last Post: JTS71 Mach1
08-08-2022 12:06 PM
» Replies: 1
» Views: 1719
351 cj running hot
Last Post: busted21
08-08-2022 12:13 AM
» Replies: 5
» Views: 3403
Major Winter projects
Last Post: JTS71 Mach1
07-09-2022 05:12 AM
» Replies: 49
» Views: 21114
Happy Fathers Day!!!
Last Post: JTS71 Mach1
06-20-2022 02:34 AM
» Replies: 0
» Views: 1681
1969 Raven Black 390 Looking For
Last Post: mason1958
06-11-2022 09:48 AM
» Replies: 10
» Views: 15078

>