tl;dr version is something like this: Michal Zalewski writes a DOM fuzzer, fuzzes IE, finds flaws, Chinese dudes Google some .dll functions and find fuzzer results.

It could be some kind of weird coincidence, or you could read a whole conspiracy theory into it (unreleased tool, very specific search terms etc.).

Details concerning a potentially serious security vulnerability in fully patched versions of Microsoft’s Internet Explorer have been leaked to people in China, a researcher warned over the weekend.

Michal Zalewski, a security researcher at Google, blogged that data concerning at least one “clearly exploitable crash” in the Microsoft browser was inadvertently disclosed to people who were using a Chinese IP address. Details about the bug, which resides in the mshtml.dll component, were stored on a server that had accidentally been indexed by Google, Zalewski wrote elsewhere. On December 30, detailed search queries showed that the sensitive information, in addition to files for an unpublished security tool, had been retrieved by the unknown party.

“This pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means,” Zalewski wrote. “Other explanations for this pair of consecutive searches seem extremely unlikely.”

The bug leads to arbitrary crashes in the EIP, or extended instruction pointer, of machines running the Microsoft browser. Zalewski said the flaw “is pretty much fully attacker-controlled.” It was uncovered using cross_fuzz, a security tool the researcher developed in his spare time more than two years ago to identify potential security vulnerabilities in IE, Firefox, and other browsers. Since its release, the tool has helped to identify nearly 100 various browser bugs.

You can find the complete history between MZ and Microsoft regarding both ref_fuzz and cross_fuzz here:

fuzzer_timeline.txt

As for the ‘discovery’ it does seem likely that someone else had already discovered the same vulnerability and were searching for further information about it and if it had been published/disclosed. The search logs are here:

known_vuln.txt

A statement attributed to Jerry Bryant, group manager in Microsoft’s Response Communications, said company researchers are working to reproduce the crash to see if the underlying vulnerability can be exploited by malicious hackers.

“At this point, we’re not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes,” Bryant said.

Zalewski provided this account of his communications with Microsoft, which started in May 2008. In it, he claims that on December 21, Microsoft researcher David Ross “confirms being able to reproduce crashes locally right away.”

Zalewski said that Microsoft researchers asked him to delay the release of cross_fuzz until they had more time to investigate the crashes. He published his warning on New Year’s Day, after he learned that the crash logs and related files had been downloaded.

“These search queries are looking for information on two MSHTML.DLL functions – BreakAASpecial and BreakCircularMemoryReferences – that are unique to the stack signature of this vulnerability, and had *absolutely* no other mentions on the internet at that time,” he said.

cross_fuzz has been released officially now by Zalewski after Microsoft have had some time to investigate the crashes further. The moral of the story is, once again don’t use Internet Explorer!

As right now, there is a potentially dangerous 0-day for IE in the wild and as we well known with Patch Tuesday it’ll be quite some time before it gets fixed.

Source: The Register

Ah Microsoft is treating this one seriously after France and Germany advised users to avoid IE.

The current strain being exploited only targets IE6 users, but one security company has developed an exploit for IE8 which also bypasses DEP (Data Execution Prevention).

It was rumoured this was the exploit used last week to compromise Google and various other high profile networks. Although I am skeptical as to why anyone was using IE inside Google? Perhaps doing cross browser testing for development, who knows.

Microsoft will release an out-of-band patch Jan. 21 to fix the Internet Explorer vulnerability at the center of recent attacks on Google and other enterprises.

According to Microsoft, the patch is slated to be ready around 1 p.m. EST. If all goes according to plan, the patch will close a hole that has prompted France and Germany to advise users to avoid IE and the U.S. State Department to demand answers from China. Attackers have used the vulnerability to hit IE 6. Microsoft so far has said it has only seen limited, targeted attacks using the vulnerability.

Meanwhile, security researchers have continued to uncover information about the origin of the attack. Joe Stewart, director of malware research for SecureWorks’ Counter Threat Unit, said his analysis of the code for the main Trojan involved in the attacks shows a more direct link to China.

It’s very rare for them to push an out-of-band patch for anything but I guess there are still a LOT of IE users out there and this is a serious flaw.

It does seem to originate from China with the only discussions about the technical parts of the flaw and implementation being discussed on Chinese language sites.

As can be seen by a Google search here (“crc_ta[16]“), after the first few English news sites reporting the flaw the rest of the results are in Chinese.

According to Stewart, the code includes a CRC (cyclic redundancy check) algorithm implementation released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers.

“This CRC -16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, ‘crc_ta[16],’” Stewart noted in a SecureWorks blog post Jan. 20. “At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese.”

Up until this finding, Stewart told eWEEK, the factors leading people to point to China were patterns similar to previous Chinese malware.

“Unfortunately, when investigating malware, nothing is conclusive because digital evidence can be forged,” he said. “However, I believe the use of the Chinese algorithm certainly gives more credence to the attack code being Chinese in origin.”

They really have no choice but to release this patch when faced with government pressure, you should see it hitting your Windows Update sometime today (Jan 21st).

Let’s hope this patch has been tested properly and doesn’t subject users to another black screen of death.

It’s good to see some proactive initiatives by Microsoft, I hope they continue through 2010.

Source: eWeek

Our Polish friend and expert security researcher, Michal Zalewski (lcamtuf), known for his endless stream of vulnerabilities in all manners of software, has struck again.

This time with some pretty serious flaws in both Internet Exploder Explorer and Firefox. This time it’s 4, 2 in IE and 2 in Firefox.

The first which effects fully patched IE6 and IE7 is pretty serious and can result in cookie theft, cooking setting, page hijacking or memory corruption.

It’s based on a page update Race Condition (aka bait and switch vuln).

When Javascript code instructs MSIE6/7 to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page

The demo can be found here:

http://lcamtuf.coredump.cx/ierace/

The more serious of the two Firefox flaws is marked MAJOR and not CRITICAL and deals with the way the browser handles IFRAMEs (Cross-site IFRAME hijacking)

Javascript can be used to inject malicious code, including key-snooping event handlers, on pages that rely on IFRAMEs to display contents or store state data / communicate with the server.

A demo can be found here:

http://lcamtuf.coredump.cx/ifsnatch/

The full e-mail with details of his vulnerabilities can be found here:

[Full-disclosure] Assorted browser vulnerabilities

You can also read more at The Register or eWeek.