Internet Explorer Possibly Hit by New Zero-Day Vulnerability

  Google security researcher reveals possible new IE 0-day
2011 is already shaping up to be a busy year for Microsoft from a security standpoint, as a reputed researcher warns that Internet Explorer might be suffering from a critical vulnerability already known to third parties.

2011 is already shaping up to be a busy year for Microsoft from a security standpoint, as a reputed researcher warns that Internet Explorer might be suffering from a critical vulnerability already known to third parties.

On January 1, Michal Zalewski aka "lcamtuf," a well known browser security researcher who currently works for Google, published a stack trace for a potentially exploitable Internet Explorer crash.

The trace was obtained with a self-developed fuzzing tool called cross_fuzz, which was shared with Microsoft and other vendors privately in mid-2010.

According to the researcher, on July 26, 2010, he notified Microsoft of multiple crashes and GDI corruption issues in Internet Explorer.

A few days later, a then current version of cross_fuzzer was shared with the software giant. However, from August Microsoft went silent about the report and Zalewski moved on with his plans to improve the tool and release it publicly at the beginning of this year.

He contacted Microsoft again in late December to let them know about the fuzzer's impending release and was told that the company could not replicate the originally reported problems.

Intrigued, the researcher retested and re-encountered the crashes with the July version of the fuzzer, so he shared his findings with Microsoft again.

This time the vendor was able to identify the issues too, but, according to Zalewski, had no explanation as to why its employees could not confirm them earlier.

In addition to providing the stack trace for what he calls "clearly exploitable" crashes, Zalewski believes that one of the issues is already known by third parties.

This is because he observed some search queries for functions particular to this vulnerability's signature, which are not mentioned anywhere else on the Internet.

The queries came from an IP address in China. "The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski notes.

Microsoft confirmed the potentially exploitable crash, but pointed out that there is currently no attack targeting this issue in the wild. However, this could rapidly change if someone uses the stack trace to create a working and reliable proof-of-concept exploit.

Fuzzing is a security testing practice, which involves serving malformed input to a parser in order to generate crashes. When this happens, the technical details are traced and can be analyzed by hackers to create an exploit.

Comments