Researcher reports apparent China interest in IE hole

New 'cross_fuzz' tool is designed to find bugs in Web browsers and needs fast distribution because of an IE vulnerability leak, researcher says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

A security researcher who created a tool he used to find numerous bugs in major browsers has released it to the public, saying the importance of its distribution is heightened by the leak to the Web of an unpatched vulnerability in Internet Explorer.

Michal Zalewski, a Google security researcher based in Poland, announced in a blog post this weekend that he was releasing a tool called "cross_fuzz" and said its distribution was a priority because at least one of the vulnerabilities discovered by the tool appears to be known to a mysterious third party.

"I have reasons to believe that the evidently exploitable vulnerability discoverable by cross_fuzz, and outlined in msie_crash.txt, is *independently* known to third parties in China," Zalewski wrote in a separate post.

"While working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces. As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot," he continued. "I have confirmed that following this accident, no other unexpected parties discovered or downloaded the tool."

On December 30, there were two search queries from an IP address in China that matched keywords mentioned in one of the indexed cross_fuzz files, he said.

Of the 100 or so bugs Zalewski said he found in IE, Firefox, Opera, and browsers powered by WebKit, including Chrome and Safari, he said he notified the vendors or developers in July and that they are in varying stages of resolution. He provides a timeline for contacting Microsoft here, noting that his first contact on the matter was in May 2008.

"At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes," Jerry Bryant, group manager for Trustworthy Computing response communications at Microsoft, said in a statement.