Vulnerabilities / Threats
1/6/2011
11:50 AM
50%
50%

Zero Day IE Vulnerability Confirmed

No patch yet available for Internet Explorer flaw, as Microsoft and Google researcher trade barbs over bug's disclosure.

Top 10 Microsoft Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Microsoft Stories Of 2010
"The year of uncoordinated disclosures has started." So tweeted French vulnerability research firm Vupen, which on Wednesday confirmed the zero-day Internet Explorer bug discovered by security researcher and Google employee Michal Zalewski.

Vupen rates the vulnerability, which it confirmed on IE8 running on Windows XP SP3, as critical. The vulnerability also affects IE8 running on Windows 7, Windows Server 2008 SP2 and R2, Windows Vista SP2, and Windows Server 2003 SP2. No patch has been released.

According to Vupen, "this issue is caused by a use-after-free error within the 'mshtml.dll' library when handling circular references between JScript objects and Document Object Model (DOM) objects, which could allow remote attackers to execute arbitrary code via a specially crafted Web page." Attackers could exploit the vulnerability to take control of a targeted system.

In a follow-up tweet, Vupen noted that in verifying the vulnerability, "reproducing was/is hard." The observation is pertinent, since Google's Zalewski released a timeline asserting that he first informed Microsoft of vulnerabilities discovered by his fuzzing engine in 2008, and alerted it to this specific bug in July 2010.

Microsoft, however, said that the vulnerabilities identified by Zalewski only appeared with the third version of his fuzzing tool, which was released in December. At that point, Microsoft requested that Zalewski delay the release of his fuzzing tool to give it time to address the vulnerability.

"After reviewing the new version of the tool and the crash report, we requested that Zalewski hold the public release of the new version of the tool and information on the specific vulnerability found in December until we could investigate further," said Jerry Bryant, group manager for trustworthy computing response communications at Microsoft. "We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July."

Zalewski declined to hold the release of the latest version of his code-fuzzing tool, asserting that Chinese security researchers -- or attackers -- had been probing for the precise vulnerability discovered by the tool. His actions drew criticism from Bryant, who accused him of amplifying the related risk.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.