Researchers verify IE bug reported by Googler
Security researchers have verified an Internet Explorer (IE) bug that sparked a faceoff between Microsoft and a Google employee over events surrounding the discovery and publication of the vulnerability, according to a report.
Vupen, a French security firm, said the IE8 bug could be exploited by remote attackers to hijack a Windows system completely, PCWorld reported Thursday. The company rated the bug its highest threat level of "critical", the report added.
The vulnerability was verified with IE8 running on Windows XP Service Pack 3 (SP3), but Vupen noted in its advisory that the bug could be exploited on Windows 7, Vista, Server 2003, Server 2008, and Server 2008 R2 as well.
Vupen claimed in a tweet that reproducing the bug was not easy.
The IE bug caused a spat between Microsoft and Googler Michal Zalewski, the Google security researcher who released on Jan. 1 a browser bug-detecting tool called "cross_fuzz", despite Microsoft's request for him to delay doing so. The IE vulnerability was among the approximately 100 bugs he found in total from five Web browsers--IE, Chrome, Firefox, Safari and Opera.
Redmond was informed of the bug by Zalewski back in July 2010, but claimed it could not reproduce any of the problems using the cross_fuzz tool until Dec. 21--when a new version of the fuzzer was provided, PCWorld stated.
Zalewski disputed this, arguing that Microsoft did not respond to his bug report for months. A separate report by Computerworld earlier this week noted that Microsoft's public statement omitted its admission to Zalewski that the company last month was able to reproduce the vulnerability using the original fuzzer tool.
Microsoft has criticized Zalewski, saying his actions have increased the risk to IE users as no patches have been available yet.
The Computerworld report stated that Zalewski declined to delay releasing the fuzzer because of the lack of feedback from Microsoft as well as his suspicions that Chinese hackers knew about the vulnerability and were already tampering with it.
Microsoft and security researchers have previously crossed paths when it comes to bug disclosure. Last June, Microsoft accused another Googler, Tavis Ormandy, of irresponsible vulnerability disclosure after he went public with a Windows XP-related flaw. The tech giant has a policy of coordinated vulnerability disclosure, where it encourages researchers to refrain from publishing vulnerabilities until a patch is ready.