Number: IRCNE2015072579
Date: 2015/07/27
According to “computerworld”, security researchers published limited details about four unpatched vulnerabilities in Internet Explorer for Windows Phone because Microsoft has not moved quickly enough to fix them.
The flaws could potentially be exploited to execute malicious code on computers when users visit compromised websites or open specially crafted documents. They were reported through Hewlett-Packard's Zero Day Initiative (ZDI) program.
The ZDI team gives vendors 120 days to develop fixes before making limited information about the flaws reported to the public. That deadline was apparently reached for the four Internet Explorer vulnerabilities this week.
The ZDI advisories describe the type, impact and general location of the flaws, but intentionally leave out technical details that could help attackers create exploits for them. In other words, they don't classify as full disclosure.
That advisory, tracked as ZDI-15-359, covers a vulnerability that was used by security researcher Nicolas Joly during the Mobile Pwn2Own hacking contest organized by ZDI in November last year. As part of the contest rules, researchers disclose the vulnerabilities they use with ZDI, which then shares them with the affected vendors.
Because it was used at Mobile Pwn2Own, it means that reliable exploitation for this flaw has already been proven and is not just theoretical.
Microsoft said in an emailed statement that it would take "appropriate steps" to protect its customers, but noted that no attacks had been reported so far.
- 7