Google discloses IE ‘cross fuzz’ flaw before Microsoft can issue patch

For the second time in four months, a Google researcher has publicly revealed a fresh security flaw in Microsoft’s Internet Explorer web browser.

In doing so this past weekend, Google researcher Michal Zalewski flatly declined a request from Microsoft to delay disclosing his discovery until the software giant had time to deploy a security patch.

Jerry Bryant, manager of response communications for Microsoft’s Trustworthy Computing group, says Zalewski increased the risk that cyber criminals will find a way to take advantage of the browser flaw before a patch can be refined, tested and widely distributed.

“Microsoft is committed to working with researchers and the companies who employ them,” says Bryant. He says collaborating behind the scenes “to address potential vulnerabilities before details are made public reduces the overall risk to customers. Microsoft’s primary goal is to reduce customer risk, not amplify it. In this case, risk has now been amplified. ”

Bryant says Microsoft is trying to determine if hackers could actually exploit the flaw; he said no known attacks have taken place so far.

Zalewski says in this account that he used a technique called “cross fuzzing” to find the flaw. This involves continually submitting unanticipated data to the IE browser until it breaks, and then taking control of the browser. Zalewski says he was compelled to go public about the IE flaw because he had reason to believe Chinese researchers also recently discovered the same vulnerability.

Last September, a Google researcher named Chris Evans did much the same thing. After discovering a fresh IE vulnerability, Evans disclosed it publicly before Microsoft could get a patch ready. Evans said at the time that he did not think Microsoft was moving fast enough to issue a patch.

It’s worth noting that Google’s Chrome web browser competes directly against IE, the world’s most widely used browser. Chrome is part of Google’s strategy to displace Microsoft Office with Google Apps. Microsoft, meanwhile, is pushing hard to grab chunks of Google’s core search advertising business with its Bing search services.

The browser vulnerabilities discovered by Zalewski and Evans represent fresh ways for cybercrimnals and cyberspies to take control of Internet-connected computers, says Arian Evans, Vice President of Operations at website security company WhiteHat Security.

Browser attacks work hand-in-hand with SQL injection and cross site scripting attacks that are intensively used by professional cyber gangs to crack into website applications.

“Today attackers tend to leverage browser exploits by first exploiting the web application,” says Evans. “After compromising the web application, they use the browser-level exploits, like this IE exploit discovered by Michal Zalewski, to compromise and take over the website users’ computers. So these types of exploits are used together to compromise both web application and the end user PC.”

For Jeremiah Grossman, founder and CTO of WhiteHat Security, Google’s adopted posture with respect to full-and-rapid disclosure of fresh vulnerabilities — which essentially mirrors the attitude of grayhat researchers such as those who founded the  Metasploit Project — is a bit of a red herring issue:

For myself, whether or not Zalewski, Evans, or whomever the researcher is behaving responsibly is not the most relevant issue. Surely more security vulnerabilities are going to be continually found in all major Web browsers that may or may not be publicly disclosed in the recommended manner.

The question we must ask ourselves is why after nearly a decade of investment in Trustworthy Computing are these issues still present, and as shown, even common? Why is that it still only takes the exploitation of just ONE software vulnerability for the bad guys to taken over an entire machine? Visit a single infected Web page, open a malicious PDF or Word document, and bang game over. Something I’ve recently written about:

Grossman details his argument for wider use of sandboxing in this post. He opines that it may be time for Mozilla and Microsoft to “follow Google’s lead and add sandboxes to their respective browsers and plugins.”

“Instead of one bug, it takes two,” argues Grossman. ” The second being much much harder to exploit. For end-users, this is the most important bit over the drama between two arch rivals.”

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone