The bug was one of about 100 found by noted browser vulnerability researcher and Google security engineer Michal Zalewski using a new "fuzzing" tool. The vulnerabilities were in IE, Firefox, Chrome, Safari and Opera.
"I have reasons to believe that the evidently exploitable vulnerability [in IE] discoverable by cross_fuzz is independently known to third parties in China," said Zalewski, referring to the "cross_fuzz" fuzzing utility he created.
According to Zalewski's account, a developer working on WebKit -- the open-source browser engine that powers both Apple's Safari and Google's Chrome -- "accidentally leaked" the location of the then-unreleased fuzzing tool. Google's search engine then added that location to its index.
"On Dec. 30, I received ... search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files," Zalewski said.
Google reseracher discovers about 100 bugs in browsers
Posted on Monday, January 03 2011 @ 21:34 CET by Thomas De Maesschalck
ComputerWorld reports an accidental leak may have confirmed Chinese hackers' suspicions that IE has a critical unpatched vulnerability. The bug is part of about 100 security flaws found by Google security engineer Michal Zalewski using a new "fuzzing" tool: