A French information security company VUPEN has recently disclosed that it held onto a serious Internet Explorer (IE) vulnerability for at least three years before revealing it at the Pwn2Own hacker competition held in March this year.
The critical zero-day vulnerability affected versions 8, 9, 10 and 11 of Internet Explorer browser that allowed attackers to remotely bypass the IE Protected Mode sandbox. An attacker can exploit this issue to gain elevated privileges.
VULNERABILITY DISCLOSURE TIMELINE
According to a disclosure made by the security company last week, the vulnerability with ID CVE-2014-2777 was discovered by the company on 12 February 2011, which was patched by Microsoft last month.
- 12 February 2011 - IE Zero-day discovered by Vupen.
- 13 March 2014 - Vupen reported to Microsoft.
- 11 June 2014 - Microsoft Released patch and publicly released the advisory.
Sandbox is security mechanism used to run an application in a restricted environment. If an attacker is able to exploit the browser in a way that lets him run arbitrary code on the machine, the sandbox would help prevent this code from causing damage to the system. So, if attackers are able to bypass the sandbox mechanism, they could run malicious code on the victim's machine.
"The vulnerability is caused due to an invalid handling of a sequence of actions aimed to save a file when calling 'ShowSaveFileDialog()', which could be exploited by a sandboxed process to write files to arbitrary locations on the system and bypass IE Protected Mode sandbox," wrote the company.
BAZAR OF ZERO-DAY EXPLOITS
VUPEN's specialty is in discovering zero-day vulnerabilities in software from major producers in order to sell the exploits to the highest bidder, typically to law enforcement and government intelligence agencies, and HP's Zero Day Initiative.
VUPEN also exploited several targets in March Pwn2Own competition, including Chrome, Adobe Flash and Adobe Reader, and Microsoft's Internet Explorer, taking home $400,000 of the total contest payout.
MICROSOFT ALSO KEPT SOMETHING HIDDEN
Microsoft also kept hidden a critical Zero-Day vulnerability of Internet explorer 8 from all of us, since October 2013, which was a zero day remote code execution flaw that affected the Internet Explorer version 8 and allowed a remote attacker to execute arbitrary code through a bug in CMarkup objects.
Now, the question arises — Does Microsoft keep these critical vulnerability hidden in its browser intentionally? or Does Microsoft not care about the security of its users that its security team left three years old vulnerability undiscovered?
VULNERABILITY ON PLANET MARS
Last month a 20 year-old critical subtle integer overflow vulnerability was discovered in the Lempel-Ziv-Oberhumer (LZO), an extremely efficient data compression algorithm that focuses on decompression speed, which is almost five times faster than zlib and bzip compression algorithms.
The most popular algorithm is used in the Linux kernel, some Samsung Android mobile devices, other embedded devices and several open-source libraries including OpenVPN, MPlayer2, Libav, FFmpeg. It even made its way onto the Mars Curiosity rover.
