Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:47 PM
Connect Directly

Accidental Leak Reveals Chinese Hackers Have IE Zero Day

Google researcher's new fuzzer finds vulnerabilities in all browsers

A renowned Google researcher who this week released a new free fuzzer that so far has found around 100 vulnerabilities in all browsers says Chinese hackers appear to have gotten their hands on one of the same bugs he discovered with the tool.

Google's Michal Zalewski unleashed the so-called cross_fuzz tool on New Year's Day and announced the fuzzer to date uncovered more than 100 vulnerabilities, many of them exploitable, in all browsers.

In a bizarre twist, Zalewski says an accidental leak of the address of the fuzzer prior to its release helped reveal some unexpected intelligence, namely that "third parties in China" apparently also know about an unpatched and exploitable bug he found in IE with the fuzzer. It all started when one of cross_fuzz's developers, who was working on crashes in the open-source WebKit browser engine used in Chrome and Safari, inadvertently leaked the address of the fuzzer in one of the crash traces that was uploaded. That made the fuzzer's directory, as well as the IE test results from the fuzzer indexed by GoogleBot, he says.

Zalewski says he was able to confirm afterward that there were no downloads or discoveries of the tool. But on Dec. 30, he says, an IP address in China queried keywords included in one of the indexed cross_fuzz files, specifically two DLL functions, BreakAASpecial and BreakCircularMemoryReferences, associated with and unique to the zero-day IE flaw he found with the fuzzer.

"The person had no apparent knowledge of cross_fuzz itself, poked around the directory for a while, and downloaded all the accessible files; suggesting this not being an agent one of the notified vendors, but also being a security-minded visitor," Zalewski explained in his blog post. "The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely."

Microsoft, meanwhile, said in a statement that now that information about the vulnerability is public, "the risk has now been amplified," but that it hasn't seen any signs of attack thus far. "Working with software vendors to address potential vulnerabilities in their products before details are made public reduces the overall risk to customers. In this case, risk has now been amplified. We will continue to investigate this issue and take appropriate action to help protect customers," said Jerry Bryant, group manager for response communications at Microsoft, in a statement. "Microsoft is investigating this potentially exploitable vulnerability and will take the appropriate steps to help protect customers. As always, we are closely monitoring the threat landscape and are not aware of any attempts to try and exploit the issue."

Anup Ghosh, founder and chief scientist at Invincea, says Zalewski's fuzzer appears to be sophisticated such that it can explore more of the state space of the browser document object model than a simple fuzzer can.

He says it's not really surprising that browsers can't handle unexpected input well. "If they do not handle unexpected input -- and most exploits fall into that category -- they can be susceptible to exploits that grant privileges to code that shouldn't have them, such as that from malicious websites," Ghosh says. "Time will tell how many of these bugs will become exploitable vulnerabilities. With this fuzz-testing tool now available, bug finders will have a new sophisticated tool at their disposal to help find zero-days."

The sheer complexity of a browser basically guarantees it will contain bugs, he says.

Zalewski says Microsoft had asked him to hold off on releasing the tool -- which he first alerted the company about in July -- but he went forward with his plan to release it in early January. "Vendor has acknowledged receiving the report in July (case 10205jr), but has not contacted me again until my final ping in December. Following that contact attempt, they were able to quickly reproduce multiple exploitable crashes, and asked for the release of this tool to be postponed indefinitely. Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he blogged.

Zalewski says Microsoft was concerned with the PR ramifications of the fuzzer and its findings, and that it at first was unable to perform the same browser crashes he had reported to them with his tool. Microsoft in late December was able to find the same flaws, however, the researchers there told him, Zalewski says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-28
CMS Made Simple through 2.2.14 allows XSS via a crafted File Picker profile name.
PUBLISHED: 2020-05-28
node-dns-sync (npm module dns-sync) through 0.2.0 allows execution of arbitrary commands . This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. This has been fixed in 0.2.1.
PUBLISHED: 2020-05-28
Certain NETGEAR devices are affected by Missing SSL Certificate Validation. This affects R7000 through, and possibly R6120, R7800, R6220, R8000, R6350, R9000, R6400, RAX120, R6400v2, RBR20, R6800, XR300, R6850, XR500, and R7000P.
PUBLISHED: 2020-05-28
IBM Security Identity Governance and Intelligence 5.2.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 175484.
PUBLISHED: 2020-05-28
A denial of service vulnerability was reported in the firmware prior to version 1.01 used in Lenovo Printer LJ4010DN that could be triggered by a remote user sending a crafted packet to the device, causing an error to be displayed and preventing printer from functioning until the printer is rebooted...