IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

IE zero-day leaked to China?

Google researcher Michal Zalewski says details on a potentially serious IE vulnerability could be in the hands of Chinese hackers.

Security

Chinese hackers potentially have their hands on an unpatched zero-day flaw in Internet Explorer, a Google researcher has said.

Michal Zalewski said a debugger he created called cross_fuzz discovered an "evidently exploitable vulnerability," and he has now raised concerns the IE flaw is "known to third parties in China."

The issue arose after a developer accidentally leaked the address of the debugger, or fuzzer, in an uploaded crash trace.

This subsequently led to Google indexing the debugger's directory, which contained information on the vulnerability.

On 30 December, search queries seen by Zalewski showed how the details on the flaw and files relating to an unpublished security tool had been obtained by an unknown party with a Chinese IP address.

"The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski wrote.

Microsoft and Google come to blows

Zalewski, who said his debugger had helped identify around 100 bugs in all browsers on the market, claimed Microsoft had been contacted about the vulnerability in July.

The Google researcher claimed Microsoft had then asked for the release of the tool to be delayed "indefinitely," after the Redmond giant had purportedly reproduced multiple exploitable crashes in testing out the flaw.

"Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he added in a blog post.

In a timeline of his interaction with Microsoft, Zalewski had a disagreement with Microsoft over the course of events.

"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 could not reproduce the vulnerability outlined in msie_crash.txt," he said.

"This is inconsistent with my record."

Jerry Bryant, group manager in Microsoft's Response Communications, claimed no issues had been identified by either Zalewski or Microsoft following the release of the tool in July.

However, Bryant admitted Microsoft and Zalewski discovered at a later date that the debugger released in July did throw up some issues.

"It is important to clarify that neither Microsoft or Zalewski found this issue in the July timeframe," he said.

When an updated version of the debugger was released in December and found a "potentially exploitable," Microsoft started trying to determine whether the vulnerability was really exploitable, Bryant said.

"After reviewing the new version of the tool and the crash report, we requested that Zalewski hold the public release of the new version of the tool and information on the specific vulnerability found in December until we could investigate further," Bryant added.

"We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July."

He added that Microsoft was not aware of any successful attempts to develop a proof of concept exploit code or any attacks due to the tools release.

"If the situation changes, we will take the appropriate action to help protect customers," he said.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Google urges Apple to embrace RCS as standard, ditch SMS for Android texts
Mobile

Google urges Apple to embrace RCS as standard, ditch SMS for Android texts

10 Aug 2022
Google reveals new office in Atlanta and $1 million in funding for local communities
Careers & training

Google reveals new office in Atlanta and $1 million in funding for local communities

28 Jul 2022
Hackers hiding malicious links in top Google search results, researchers warn
malware

Hackers hiding malicious links in top Google search results, researchers warn

21 Jul 2022
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

13 Jul 2022

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022