IE zero-day leaked to China?


Chinese hackers potentially have their hands on an unpatched zero-day flaw in Internet Explorer, a Google researcher has said.

Michal Zalewski said a debugger he created called cross_fuzz discovered an "evidently exploitable vulnerability," and he has now raised concerns the IE flaw is "known to third parties in China."

The issue arose after a developer accidentally leaked the address of the debugger, or fuzzer, in an uploaded crash trace.

This subsequently led to Google indexing the debugger's directory, which contained information on the vulnerability.

On 30 December, search queries seen by Zalewski showed how the details on the flaw and files relating to an unpublished security tool had been obtained by an unknown party with a Chinese IP address.

"The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski wrote.

Microsoft and Google come to blows

Zalewski, who said his debugger had helped identify around 100 bugs in all browsers on the market, claimed Microsoft had been contacted about the vulnerability in July.

The Google researcher claimed Microsoft had then asked for the release of the tool to be delayed "indefinitely," after the Redmond giant had purportedly reproduced multiple exploitable crashes in testing out the flaw.

"Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he added in a blog post.

In a timeline of his interaction with Microsoft, Zalewski had a disagreement with Microsoft over the course of events.

"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 could not reproduce the vulnerability outlined in msie_crash.txt," he said.

"This is inconsistent with my record."

Jerry Bryant, group manager in Microsoft's Response Communications, claimed no issues had been identified by either Zalewski or Microsoft following the release of the tool in July.

However, Bryant admitted Microsoft and Zalewski discovered at a later date that the debugger released in July did throw up some issues.

"It is important to clarify that neither Microsoft or Zalewski found this issue in the July timeframe," he said.

When an updated version of the debugger was released in December and found a "potentially exploitable," Microsoft started trying to determine whether the vulnerability was really exploitable, Bryant said.

"After reviewing the new version of the tool and the crash report, we requested that Zalewski hold the public release of the new version of the tool and information on the specific vulnerability found in December until we could investigate further," Bryant added.

"We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July."

He added that Microsoft was not aware of any successful attempts to develop a proof of concept exploit code or any attacks due to the tools release.

"If the situation changes, we will take the appropriate action to help protect customers," he said.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.