Well-known researcher and Google employee Michal Zalewski has released a “fuzzing” tool for web browsers. According to Zalewski, an accidental disclosure of an unpatched IE vulnerability, found during work on the tool, appears to have leaked out to other researchers in China. The motives of those researchers are unknown.
Fuzz testing is a form of testing in which inputs to the program under test are generated by a “fuzzer” based partly on random factors. The aim is to create unexpected conditions and see if the program under test handles error conditions, edge cases and stress properly.
This 0-day appears to be unrelated to the one revealed recently which exploits a .NET DLL unprotected by ASLR.
Zalewski describes the tool, named cross_fuzz, as “an amazingly effective but notoriously annoying cross-document DOM binding fuzzer that helped identify about one hundred bugs in all browsers on the market – many of said bugs exploitable – and is still finding more.”
The tool’s design—cruel to the point of torture of a browser’s DOM engine—has so much randomness in it that it often makes reproduction of errors difficult. Many of the reports to vendors from the use of this tool remain in a state of vagueness which makes them difficult to fix. Zalewski has released the tool in the hope that community involvement will help to make the tool more helpful to developers.
But the tool found several exploitable and fairly well-defined vulnerabilities in Internet Explorer which Zalewski reported to Microsoft in July. They acknowledged receipt, but did not reply further until just recently to ask that the release of the tool be delayed.
Google researchers have been involved in controversial disclosure episodes before, but clearly there is a point at which it’s reasonable for researchers to go public if the vendor has not responded. 6 months seems to be emerging as the industry standard for this.
Note that Zalewski has not completely disclosed the IE vulnerabilities (although he did release a stack trace). Everyone, and certainly Microsoft, has to assume they are in the wrong hands by now, especially as Zalewski’s experience indicates that the Chinese researchers had found it themselves and were searching for further information.
Full story: Security Watch
Related Posts
- One more Adobe 0-day vulnerability using Office files
Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsof... - Windows 0-day SMB mrxsmb.dll vulnerability, (Wed, Feb 16th)
A new vulnerability has been discovered exploiting SMBcomponent of Windows. The attack involves sending of malformed Browser Election requests leading the heap overflow within the mrxsmb.dll driver.Th... - Heads up… 0-day in an exploit kit
Hi folks,
It's fairly well known (well, well-known if you're a security geek) that CVE-2010-3962 is in the Wild, but over the last couple of days, we've begun detecting it in the Eleonore Exploit Kit... - New year, new exploits: 0-day found in Microsoft Graphical Rendering Engine
A new, potentially critical vulnerability in Microsoft Windows has come to our attention at Websense Security Labs. A specially-crafted Microsoft Office document can cause the GRE (Graphical Renderin... - IE 0-Day Shows Microsoft Developer Error
After blogging about the new unpatched vulnerability in Internet Explorer I became curious about something: Why wasn't mscorie.dll linked with the /DYNAMICBASE option? This option enables AS... - Two different 0-day exploits in Internet Explorer
Two different new zero-day exploits were published on December 22.
Remote attackers could use these exploits to take complete control of a
vulnerable system. Websense Security Labs is monitor... - Blog: TDL4 Starts Using 0-Day Vulnerability!
In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86... - Windows 0-day thoughts and protection
Currently the news about a Proof-of-Concept malware makes the rounds which is able to bypass the User Account Control (UAC) of Windows Vista / Windows 7 without user notification to gain privileged s... - Windows 0day Exploit Bypasses UAC
There has been a proof-of-concept (POC) in the wild that includes source code containing information on how to exploit a flaw in Windows kernel API RtlQueryRegistryValues, which can lead to privilege... - New Windows 0-day exploit speaks chinese
This isn't exactly what could be defined a lucky year for Microsoft. If Windows 7 sales are booming, on the other hand the operating system made-in-Redmond has been hit hard by a lot of targetted at...
Posted on 02 January 2011. Tags: 0day, Circulation
