Microsoft is investigating reports of a zero-day vulnerability impacting Internet Explorer based on how it handles CSS. The issue was discovered using cross_fuzz, a browser fuzzing tool created by a Google researcher who went public with the IE flaw because he believes Chinese researchers also recently discovered the same vulnerability.
Jerry Bryant, manager of response communications for Microsoft's Trustworthy Computing group, confirmed that Google provided Redmond with a copy of the fuzzing tool back in July 2010. Neither company found any issues in IE using the initial version of cross_fuzz, but this changed recently when cross_fuzz was updated.
"On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version," Bryant said in a statement. "We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable."
In a timeline of the events, Zalewski writes that this is incorrect: "the current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 could not reproduce the vulnerability outlined in msie_crash.txt. This is inconsistent with my record."
The next day, Microsoft issued Security Advisory (2488013) confirming that the vulnerability impacted all supported versions of IE. Microsoft explained that the vulnerability exists due to the creation of uninitialized memory during a CSS function within the browser, making it possible for the memory to be leveraged by an attacker with a specially crafted webpage.
Details on the IE vulnerability are probably more widely known than Microsoft would like, especially given that the researcher in question, Michal Zalewski released the fuzzing tool to the public on New Years Day. It's worth noting that a Google employee has done this before, disclosing an IE flaw that could allow attackers to steal private information from online services. Then and now, Microsoft argued that details should not be disclosed publicly until a patch is available.
Microsoft argues that Zalewski has increased the risk to IE users since cyber criminals will find a way to exploit the flaw before a patch can be thoroughly tested and widely distributed. At the same time, Microsoft says it is currently unaware of any attacks trying to use the vulnerability. The company is actively monitoring the situation and may provide a security update on an upcoming Patch Tuesday (the next is January 11) or an out-of-cycle patch. Next week is a bit soon for a patch, and the company usually doesn't get fixes out on the next patch cycle. That being said, this time the company can't simply tell users to upgrade to the latest and greatest, since all versions are affected.
See original here:
Other Business News:
没有评论:
发表评论