Microsoft’s Awareness, Months Before, of Critical Internet Explorer Bug
Microsoft recently acknowledged that hackers have been exploiting an existing vulnerability present in Internet Explorer versions 6 and 7. The vulnerability tagged by Microsoft as CVE-2008-0015 was said to have been reported much earlier, possibly on December 13, 2007.
Hackers have been known to exploit this bug more than a month ago (June 9, 2009). Computers get infected when users point Internet Explorer to certain malicious web pages. Hacker code, taking advantage of this weakness, is downloaded from the sites to the computer. From this point on, the hacker may be free to do anything on the infected computer. Internet Explorer has long been known to be vulnerable to such hacker exploits because of the way it uses ActiveX technology to implement browser plug-ins and extensions. In this particular vulnerability, hackers found out that a video controller library with a filename of “msvidctl.dll” had two particular weaknesses – buffer overflow and the other being a memory corruption bug.
Two researchers, Ryan Smith and Alex Wheeler, reported the buffer overflow bug to Microsoft. When asked, Smith confirmed to have reported the bug but pointed out Wheeler as the one who did the most of the work. Citing confidentiality clauses, Alex Wheeler declined to state when the bug was discovered but gave hints that the bug may have been reported more than 18 months ago. Alex Wheeler, who founded 3Com’s Texas-based TippingPoint DVLabs in January 2008, said that the report was sent to Microsoft before his present company was established.
IBM’s ISS X-Force, who was Smith and Wheeler’s former employee, also declined to say when the bug was reported to Microsoft. Another ISS X-Force employee, Robert Freeman, was credited to have discovered the second bug, the memory corruption bug. This video controller bug, according to Alex Wheeler is a serious vulnerability, because it is relatively easy to exploit and furthermore, it allows hackers to take advantage of the exploited computer in a reliable way. Wheeler adds that any form of client-side bug is serious but in this particular case, the reliability of the exploit makes the bug fall into the more serious range.
Microsoft, when asked earlier, neither responded nor confirmed if the vulnerability had been reported way back in late 2007 or early 2008. Microsoft’s latest announcement however confirmed the attacks on this particular Internet Explorer bug, and at the same time, offered a download that was said to be able to neutralize further exploits by patching the video controller file in 45 different places. Microsoft’s Common Exposures and Vulnerability database listed that CVE-2008-0015 was reported as early as December 13, 2007.
Although the code to take advantage of this particular Internet Explorer vulnerability has not been posted as widely as other exploits, Wheeler suggested that hackers may not have a hard time implementing this attack considering the relative ease it takes to utilize the bug.
Wheeler further suggested that using other browsers that do not use ActiveX technology to implement browser plug-ins and extensions may be the best defense against this line of attack. Apple’s Safari, Mozilla Firefox and Google Chrome are some of the browsers named by Wheeler, although a bit of browser configuration needs to be setup.
Microsoft has already promised to patch Internet Explorer, but true to form, it has not committed a date when the fix will be posted online for users to download. Microsoft though has a regular schedule of release of fixes and the next published date is July 14, 2009.