Chinese hackers potentially have their hands on an unpatched zero-day flaw in Internet Explorer, a Google researcher has said.
Michal Zalewski said a debugger he created called cross_fuzz discovered an "evidently exploitable vulnerability," and he has now raised concerns the IE flaw is "known to third parties in China."
The issue arose after a developer accidentally leaked the address of the debugger, or fuzzer, in an uploaded crash trace.
This subsequently led to Google indexing the debugger's directory, which contained information on the vulnerability.
On 30 December, search queries seen by Zalewski showed how the details on the flaw and files relating to an unpublished security tool had been obtained by an unknown party with a Chinese IP address.
"The pattern is very strongly indicative of an independent discovery of the same vulnerability in MSIE using unrelated tools, eventually leading the discoverer to my site; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski wrote.
Microsoft and Google come to blows
Zalewski, who said his debugger had helped identify around 100 bugs in all browsers on the market, claimed Microsoft had been contacted about the vulnerability in July.
The Google researcher claimed Microsoft had then asked for the release of the tool to be delayed "indefinitely," after the Redmond giant had purportedly reproduced multiple exploitable crashes in testing out the flaw.
"Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused," he added in a blog post.
In a timeline of his interaction with Microsoft, Zalewski had a disagreement with Microsoft over the course of events.
"The current PR messaging from Microsoft implies that substantial differences existed between July and December fuzzer variants, and that the July 29 could not reproduce the vulnerability outlined in msie_crash.txt," he said.
"This is inconsistent with my record."
Jerry Bryant, group manager in Microsoft's Response Communications, claimed no issues had been identified by either Zalewski or Microsoft following the release of the tool in July.
However, Bryant admitted Microsoft and Zalewski discovered at a later date that the debugger released in July did throw up some issues.
"It is important to clarify that neither Microsoft or Zalewski found this issue in the July timeframe," he said.
When an updated version of the debugger was released in December and found a "potentially exploitable," Microsoft started trying to determine whether the vulnerability was really exploitable, Bryant said.
"After reviewing the new version of the tool and the crash report, we requested that Zalewski hold the public release of the new version of the tool and information on the specific vulnerability found in December until we could investigate further," Bryant added.
"We specifically told Zalewski we were fine with him publishing the two versions of the tool reported in July."
He added that Microsoft was not aware of any successful attempts to develop a proof of concept exploit code or any attacks due to the tools release.
"If the situation changes, we will take the appropriate action to help protect customers," he said.
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
