The public release of cross_fuzz – a cross-document DOM binding fuzzer that is able to detect vulnerabilities in all browsers by examining how they interact with various elements while they render web pages – by the Google-employed security researcher Michal Zalewski has unveiled some worrying information.
First, that some of the over 100 vulnerabilities found in browsers such as Internet Explorer, Firefox, Opera, and WebKit powered Chrome and Safari are still currently unpatched. Second, that at least one of the IE vulnerabilities discovered may be known to third parties apparently located in China.
Stating that this was the main reason for making the fuzzing tool and that information public, he explained how he came to that conclusion.
“While working on addressing cross_fuzz crashes in WebKit prior to this announcement, one of the developers accidentally leaked the address of the fuzzer in one of the uploaded crash traces. As a result, the fuzzer directory, including msie_crash.txt [the text file containing details of the vulnerability], has been indexed by GoogleBot,” he wrote.
Prior to that accident no one else had access to the tool, but on December 30, he registered search queries from an IP address in China using the names of two functions unique to this vulnerability as keywords – functions that at that time were not mentioned anywhere else on the Internet.
“Crucially, the person had no apparent knowledge of cross_fuzz itself, poked around the directory for a while, and downloaded all the accessible files; suggesting this not being an agent one of the notified vendors, but also being a security-minded visitor,” he said, speculating that it is likely this visitor has discovered the same vulnerability by some other means, and was searching the Internet for information about it.
The second reason for making the tool available to the public is the desire of getting feedback and help from other developers and security researchers in order to perfect the tool and resolve some issue they’ve been having when running it.
Needless to say, Microsoft is not happy that the tool has been released – in fact, according to Zalewski, they tried to make him postpone its release indefinitely. “Since they have not provided a compelling explanation as to why these issues could not have been investigated earlier, I refused,” he wrote.