Monday, January 3, 2011

Accidental Leak Reveals Chinese Hackers Have IE ZeronDay

Via DarkReading.com -

A renowned Google researcher who this week released a new free fuzzer that so far has found around 100 vulnerabilities in all browsers says Chinese hackers appear to have gotten their hands on one of the same bugs he discovered with the tool.

Google's Michal Zalewski unleashed the so-called cross_fuzz tool on New Year's Day and announced the fuzzer to date uncovered more than 100 vulnerabilities, many of them exploitable, in all browsers.

In a bizarre twist, Zalewski says an accidental leak of the address of the fuzzer prior to its release helped reveal some unexpected intelligence, namely that "third parties in China" apparently also know about an unpatched and exploitable bug he found in IE with the fuzzer. It all started when one of cross_fuzz's developers, who was working on crashes in the open-source WebKit browser engine used in Chrome and Safari, inadvertently leaked the address of the fuzzer in one of the crash traces that was uploaded. That made the fuzzer's directory, as well as the IE test results from the fuzzer indexed by GoogleBot, he says.

Zalewski says he was able to confirm afterward that there were no downloads or discoveries of the tool. But on Dec. 30, he says, an IP address in China queried keywords included in one of the indexed cross_fuzz files, specifically two DLL functions, BreakAASpecial and BreakCircularMemoryReferences, associated with and unique to the zero-day IE flaw he found with the fuzzer.

"The person had no apparent knowledge of cross_fuzz itself, poked around the directory for a while, and downloaded all the accessible files; suggesting this not being an agent one of the notified vendors, but also being a security-minded visitor," Zalewski explained in his blog post. "The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely."


------------------------------------------------------------------------------------------------------------------------

Announcing cross_fuzz, a potential 0-day in circulation, and more
http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

Cross_fuzz tool - http://lcamtuf.coredump.cx/cross_fuzz/

No comments:

Post a Comment