Google Researcher Finds New MSFT Zero-Day Exploit
Microsoft was caught off guard by public disclosure of a new zero-day hole in Internet Explorer 8. But the hacker who published the exploit says he notified Microsoft in advance and only acted after the company ignored him.
So much for Microsoft's pitch for civility and cooperation in revealing new security exploits in its products to software vendors in advance of making them public.
Civility aside, hackers are still outing security exploits because they say Microsoft (NASDAQ: MSFT) ignores them when they report the holes privately, with another zero-day vulnerability revealed in just the past few days.
The latest is a hole in Internet Explorer 8 (IE8) that could force users' systems to send out Twitter posts unbidden.
Chris Evans, a Google employee, posted a brief discussion of the problem as well as a link to a proof-of-concept exploit late Friday on the Full Disclosure security mailing list.
Evans said in his post that he published the exploit "in an attempt to get this bug fixed." He claims that he did, in fact, act in good faith and notified Microsoft well in advance of publication.
"I have been unsuccessful in persuading the vendor to issue a fix. The bug permits -- for example -- an arbitrary website to force the victim to make tweets," Evans said.
Evans is the second Google employee to publicly disclose a zero-day exploit in recent months. Google security researcher Tavis Ormandy published exploits for holes in Microsoft products on at least two occasions in the past several months, including one that was 17 years old.
Microsoft (NASDAQ: MSFT) called for what it dubs "coordinated vulnerability disclosure" in a blog post in late July. The idea is partly to get white hat hackers to reveal security holes to Microsoft before going public with them.
In an e-mail to InternetNews.com, Evans declined to discuss the security hole beyond his post to Full Disclosure. He would not say when he notified Microsoft. However, in his post, he did say that there is evidence that implies that Microsoft knew of the problem "since at least 2008."
"Microsoft is investigating the disclosure of a vulnerability in Internet Explorer. Were currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," Jerry Bryant, group manager for response communications at Microsoft, said in a statement e-mailed to InternetNews.com.
"Microsoft continues to encourage coordinated vulnerability disclosure. Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of a vulnerability and work to exploit it," Bryant added.
As usual, Microsoft said its security researchers are examining the vulnerability and will do whatever is appropriate, whether that includes a security advisory or a security bulletin and an accompanying patch.
In his Full Disclosure post, Evans said there is "no reasonable workaround" and also that the fault lies with IE8 and not with Twitter. Earlier versions of IE may also be vulnerable, but that has not yet been tested.
Microsoft was not immediately available to address whether and when Evans notified the company of the IE8 problem.
Follow eSecurityPlanet on Twitter @eSecurityP.