Browser security specialist Michal Zalewski believes that Chinese hackers have long been aware of a security vulnerability in Internet Explorer which has only recently come to public attention. It is believed that this vulnerability could be exploited to infect computers, though current efforts have succeeded only in provoking crashes. The chain of events through which Zalewski found out about the vulnerability, which may have been circulating among Chinese hackers, is interesting.
Zalewski, who works for Google's security team, reports that he discovered the vulnerability a while ago using his cross_fuzz fuzzing tool and reported it to Microsoft in July 2010. Zalewski also used cross_fuzz to discover bugs in other browsers, which he also reported to the relevant organisations. To allow developers to access information on the bugs, Zalewski took the practical step of placing the tool and the crash dumps produced using it on his server and sending a link to the files to the browser developers.According to Zalewski, however, one developer accidentally posted the link to a bug database, with the result that Google indexed the link and specific details of the BreakAASpecial and BreakCircularMemoryReferences functions contained in mshtml.dll; both of these contained errors. In late December, Zalewski's server was visited by a Chinese surfer who came across the site as a result of Google searches on these two functions.
The visitor took a good look around the site, but does not appear to have shown any interest in the fuzzing tool. Zalewski concludes that Chinese hackers had independently discovered the same vulnerability and were searching the web for further information on it. In mid 2010, security services provider ZDI reported an increase in the number of exploits being independently registered with it by different security specialists wanting to sell the information to the company. This strongly suggests that exploit programmers may also already be aware of many such vulnerabilities.
According to a timeline published by Zalewski, Microsoft was for many months unable to reproduce the bugs, but has now apparently overcome this difficulty. It is not clear when a patch will be released. Zalewski has now made his fuzzing tool publicly available to download. He used it to discover and report numerous vulnerabilities in all Webkit-based browsers, as well as Firefox and Opera – many have already been fixed.
Cross_fuzz focuses on vulnerabilities in functions for processing objects in the Document Object Model (DOM). Zalewski previously hit the headlines in 2004 with his MangleMe fuzzing script. Back then, he considered Internet Explorer to be the most robust of the available browsers.