Microsoft Announces "cross_fuzz, Internet Explorer's 0-day" and More!

Microsoft announced that it's investigating reports of a zero-day vulnerability impacting Internet Explorer. The issue has been detected using cross_fuzz, a browser fuzzing tool released by Google Researcher Michal Zalewski on January 1st, 2010.Jerry Bryant notes that "neither Microsoft's security researchers, nor Zalewski were capable of identifying any issues in IE using the initial version […]

Microsoft announced that it's investigating reports of a zero-day vulnerability impacting Internet Explorer. The issue has been detected using cross_fuzz, a browser fuzzing tool released by Google Researcher Michal Zalewski on January 1st, 2010.

Jerry Bryant notes that "neither Microsoft's security researchers, nor Zalewski were capable of identifying any issues in IE using the initial version of cross_fuzz. However, this apparently changed on Dec'21,2010, with a version of the tool, reported information about a potentially exploitable crash found by the new version.

We immediately worked to reproduce the issue with the updated and original tool and are currently investigating it further to determine if it's actually exploitable.

At this point, we're not aware of any exploits or attacks for the reported issue and are continuing to investigate and monitor the threat environment for any changes," Bryant explained.

"Security is an industry wide issue and Microsoft is committed to working with researchers and/or the companies who employ them, when they discover potential vulnerabilities and this case is no exception.

Working with software vendors to address potential vulnerabilities in their products before details are made public, reduces the overall risk to customers. In this case, risk has now been amplified. We'll continue to investigate this issue and take appropriate action to help protect customers," Bryant added.

More inforamation here.

[tags]fuzzing[/tags]