Researchers confirm Googler's Internet Explorer bug

French firm Vupen says Microsoft's browser vulnerable to drive-by attacks

French security researchers today confirmed the presence of a bug in Internet Explorer (IE) that's at the center of a spat between Microsoft and a Google security engineer.

According to Vupen, IE8 harbors a vulnerability that can be exploited to hijack a Windows system.

"A vulnerability has been identified in Microsoft Internet Explorer, which could be exploited by remote attackers to take complete control of a vulnerable system," said the French firm in an advisory published Wednesday.

Vupen said it confirmed the vulnerability and its exploitability in IE8 running on Windows XP Service Pack 3 (SP3), but believed it could also be leveraged on Windows Vista, Windows 7, Server 2003, Server 2008 and Server 2008 R2.

The security company rated the bug as "critical," its highest threat warning. In a follow-up tweet , Vupen said, "Reproducing was/is hard."

The bug was publicly reported last Saturday by Michal Zalewski, a Google security engineer, when he released a new "fuzzing" tool that had found more than 100 bugs in the five major browsers: Chrome, Firefox, Internet Explorer (IE), Opera and Safari. He also published a crash dump of one of the IE bugs he believed could be exploited.

Zalewski's release of "cross_fuzz" and the crash dump has sparked a skirmish between him and Microsoft.

The latter has claimed that even though its engineers have had the fuzzer since July, they were only able to identify the vulnerability Dec. 21, 2010, when Zalewski provided a newer version of the tool.

Zalewski has disputed that in a detailed timeline of the back-and-forth with Microsoft. Earlier this week he said he released cross_fuzz and the crash dump because Chinese hackers were already probing for information on the bug, and because Microsoft had not responded for months to his bug report.

Vupen identified the IE vulnerability as a "use-after-free error" within "mshtml.dll," the code library that composes the browser engine. Attackers could exploit the bug by enticing people to a malicious Web page -- a classic "drive-by" attack that compromises the browser as soon as it renders the page.

Microsoft has said it is investigating the IE vulnerability, but has not issued a security advisory or revealed its patching plans.

With the Vupen confirmation, Microsoft now has four unpatched bugs to work on, including a critical IE bug it acknowledged two weeks ago, a WMI Active X flaw in IE that went public at the same time, and a Windows vulnerability the company confirmed Tuesday.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftbrowsersGoogleoperating systemssoftwareapplicationsWindowsMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?