IE zero-day leaked to China?

Google researcher Michal Zalewski says details on a potentially serious IE vulnerability could be in the hands of Chinese hackers.

Security

Chinese hackers potentially have their hands on an unpatched zero-day flaw in Internet Explorer, a Google researcher has said.

Michal Zalewski said a debugger he created called cross_fuzz discovered an "evidently exploitable vulnerability," and he has now raised concerns the IE flaw is "known to third parties in China."

The issue arose after a developer accidentally leaked the address of the debugger, or fuzzer, in an uploaded crash trace.

Advertisement - Article continues below

This subsequently led to Google indexing the debugger's directory, which contained information on the vulnerability.

On 30 December, search queries seen by Zalewski showed how the details on the flaw and files relating to an unpublished security tool had been obtained by an unknown party with a Chinese IP address.

"The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski wrote.

Microsoft and Google come to blows

Zalewski, who said his debugger had helped identify around 100 bugs in all browsers on the market, claimed Microsoft had been contacted about the vulnerability in July.

The Google researcher claimed Microsoft had then asked for the release of the tool to be delayed "indefinitely," after the Redmond giant had purportedly reproduced multiple exploitable crashes in testing out the flaw.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he added in a blog post.

In a timeline of his interaction with Microsoft, Zalewski had a disagreement with Microsoft over the course of events.

"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 could not reproduce the vulnerability outlined in msie_crash.txt," he said.

"This is inconsistent with my record."

Jerry Bryant, group manager in Microsoft's Response Communications, claimed no issues had been identified by either Zalewski or Microsoft following the release of the tool in July.

However, Bryant admitted Microsoft and Zalewski discovered at a later date that the debugger released in July did throw up some issues.

"It is important to clarify that neither Microsoft or Zalewski found this issue in the July timeframe," he said.

Advertisement - Article continues below

When an updated version of the debugger was released in December and found a "potentially exploitable," Microsoft started trying to determine whether the vulnerability was really exploitable, Bryant said.

"After reviewing the new version of the tool and the crash report, we requested that Zalewski hold the public release of the new version of the tool and information on the specific vulnerability found in December until we could investigate further," Bryant added.

"We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July."

He added that Microsoft was not aware of any successful attempts to develop a proof of concept exploit code or any attacks due to the tools release.

"If the situation changes, we will take the appropriate action to help protect customers," he said.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/mobile/google-android/355837/arizona-files-lawsuit-against-google-for-illegally-tracking-android
Google Android

Arizona files lawsuit against Google for illegally tracking Android users’ locations

29 May 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/network-internet/email-providers/355822/gmail-introduces-new-features-to-makes-personalizing-your
email providers

Gmail introduces new features to makes personalizing your inbox easier

28 May 2020
Visit/mobile/google-android/355804/google-confirms-users-can-make-purchases-via-voice-match-feature
Google Android

Google Assistant can now verify payments using your voice

27 May 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
Visit/policy-legislation/data-protection/355835/nhs-yet-to-understand-the-risks-of-holding-test-and-trace
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020