14 DAY TRIAL // Microsoft confirmed to Softpedia that it is investigating reports of a zero-day vulnerability impacting Internet Explorer.
The issue has been detected using cross_fuzz, a browser fuzzing tool released by Google Researcher Michal Zalewski on January 1st, 20120.
Jerry Bryant, group manager, response communications, Trustworthy Computing at Microsoft revealed that the software giant is well aware of the availability of cross_fuzz, as well as the problem it helped highlight in IE.
In fact, Zalewski made sure to provide the Redmond company with a copy of the fuzzing tool as early as July 2010.
Bryant notes that neither Microsoft’s security researchers, nor Zalewski were capable of identifying any issues in Internet Explorer using the initial version of cross_fuzz. However, this apparently changed just ahead of Christmas, when cross_fuzz was updated.
“On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version.
“We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable.
“At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” Bryant explained.
Fuzzing, also known as fuzz testing, is a form of automatic testing designed to bombard a specific software with a range of exception and random data. Fuzzers are used to through program input to a product in order to detect issues with its design.
According to Zalewski, details on the problem affecting IE could have already made their way into the wild, and of course, now that the fuzzing tool is available, Microsoft needs to determine whether the issue is a legitimate vulnerability, and patch it if it is.
“Security is an industry wide issue and Microsoft is committed to working with researchers and/or the companies who employ them, when they discover potential vulnerabilities and this case is no exception.
“Working with software vendors to address potential vulnerabilities in their products before details are made public, reduces the overall risk to customers. In this case, risk has now been amplified. We will continue to investigate this issue and take appropriate action to help protect customers,” Bryant added.