p2pnet view Security:- Chinese hackers may be very well aware of a “critical unpatched vulnerability”, says Computerworld.

“The bug was one of about 100 found by noted browser vulnerability researcher and Google security engineer Michal Zalewski (right) using a new ‘fuzzing’ tool”, says the story, going on the vulnerabilities were also in Firefox, Chrome, Safari and Opera.

According to Zalewski, a developer working on WebKit — the open-source browser engine that powers both Apple’s Safari and Google’s Chrome — “accidentally leaked” the location of the then-unreleased fuzzing tool. Google’s search engine then added that location to its index.

“On Dec. 30, I received … search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files,” Zalewski said, the story states, continuing:

“Those searches were looking for information on a pair of functions in ‘Mshtml.dll,’ IE’s browser engine” he said were unique to the vulnerability, and that had “absolutely no other mentions on the Internet at that time.”

“The person or persons searching for the functions then downloaded all the available cross_fuzz files.”

Address ‘accidentally leaked’

On http://lcamtuf.coredump.cx/, Zalewski states >>>

I have reasons to believe that the evidently exploitable vulnerability discoveable by cross_fuzz, and outlined in msie_crash.txt, is independently known to third parties in China.

While working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces. As a result, the fuzzer directory, including msie_crash.txt, has been indexed by GoogleBot.

I have confirmed that following this accident, no other unexpected parties discovered or downloaded the tool; however, on December 30, I received the following search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files:

125.77.xxx.x – - [30/Dec/2010:11:11:31 +0100]
GET /cross_fuzz/msie_crash.txt HTTP/1.1
Referer: http://www.google.com.hk/search?q=mshtml+breakaaspecial&hl=zh-CN&newwindow=1&safe=strict&client=pub-1549238212314499&prog=aff&channel=8696049412&sa=2
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GreenBrowser)

125.77.xxx.x – - [30/Dec/2010:11:39:15 +0100]
GET /cross_fuzz/msie_crash.txt HTTP/1.1
Referer: http://www.google.com.hk/search?client=pub-1549238212314499&prog=aff&channel=8696049412&q=breakcircularmemoryreferences
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; CIBA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; GreenBrowser)

These search queries are looking for information on two MSHTML.DLL functions – BreakAASpecial and BreakCircularMemoryReferences – that are unique to the stack signature of this vulnerability, and had *absolutely* no other mentions on the Internet at that time.

The person had no apparent knowledge of cross_fuzz itself, poked around the directory for a while, and downloaded all the accessible files; suggesting this not being an agent one of the notified vendors, but also being a security-minded visitor.

“The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means”, Zalewski says, adding, “other explanations for this pair of consecutive searches seem extremely unlikely.”

Computerworld has Jerry Bryant, an MSRC spokesman, saying yesterday, “neither Microsoft or the Google security researcher identified any issues. On December 21, a new version of the tool was reported to us along with information about a potentially exploitable crash found by the new version. We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it is actually exploitable.”

Zalewski “released cross_fuzz on Saturday, even though Microsoft had not yet patched any of the IE flaws”, it says, noting:

“Other browser makers, including Mozilla and Opera, as well as the WebKit team, have fixed some — although not all — of the bugs Zalewski found using cross_fuzz.

“Microsoft asked Zalewski to delay cross_fuzz’s release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company’s security experts had not responded to information he provided.”

Fuzzing “is a common research practice used to locate vulnerabilities and find flaws in code”, the story says, adding:

“A fuzzer automates the technique by inputting data into applications or operating system components to see if — and where — crashes occur.”

Follow me on Twitter.

Computerworld – Chinese hackers dig into new IE bug, says Google researcher, January 3, 2011

World War III will be a global information war with no division between civilian & military participation ~ Marshall McLuhan

Use free p2pnet newsfeeds for your site. Subscribe to p2pnet.net | rss feed: http://p2pnet.net/feed

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

This entry was posted on Monday, January 3rd, 2011 at 2:22 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 13969 times