Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

IE Zero Day Flaw Leaked To Google Search

Log from security researcher's fuzzing engine found someone at a Chinese IP address searching for the exact Microsoft Internet Explorer attack signature.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
A previously undisclosed Microsoft Internet Explorer vulnerability, which an attacker can use to crash IE at will, was inadvertently leaked last week to a user at a Chinese Internet protocol address.

On Saturday, security expert Michal Zalewski, a Google employee, disclosed that the vulnerability was one of about 100 discovered using cross_fuzz, a free tool he developed in his spare time over the past two years to "fuzz" Web browsers in search of unknown bugs. (Fuzzing refers, in this case, to submitting unexpected HTML and XML to "stress-test" browsers and seeing how they respond.) Zalewski also publicly released the tool on Saturday.

But on Thursday, someone with a Chinese IP address searched Google for a specific IE vulnerability that hadn't yet been publicly disclosed, and found data generated by cross_fuzz that was accidentally exposed to and indexed by Google.

"While working on addressing cross_fuzz crashes in Webkit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces," said Zalewski on his blog. "As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot."

The Chinese Google search that turned up the vulnerability data was "no accident," he said, as the person searched for two very specific functions "that are unique to the stack signature of this vulnerability, are very unlikely to appear in any other context, and had absolutely no other mentions on the Internet at that time." In addition, the searcher's behavior seemed to reveal no knowledge of the cross_fuzz tool, meaning that someone had apparently discovered the vulnerability independently.

According to Zalewski, his fuzzing tool has already discovered about 100 bugs across IE, Firefox, Opera, and Webkit-based browsers, all of which he disclosed to the relevant organizations in July. Since then, many of the Webkit vulnerabilities have already been patched, Firefox has addressed a number of the vulnerabilities and added Zalewski's tool into its own fuzzing infrastructure, and Opera fixed many of the identified vulnerabilities in its December release. While some difficult-to-fix vulnerabilities remain in those browsers, efforts to remediate them are underway.

The story is different with Microsoft. Zalewski said he first contacted Microsoft in 2008, warning that his fuzzer was triggering IE browser crashes, but Microsoft said it was unable to reproduce the crashes. After sending a new report to Microsoft in July 2010, and then responding to additional requests for information, Zalewski said Microsoft ultimately requested he that he indefinitely postpone releasing the fuzzer.

Zalewski declined. "Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he said. In addition, the evidence -- via the Google search -- that someone had discovered one of the vulnerabilities independently made an expedited release prudent, he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.