An accidental leak may have confirmed Chinese hackers' suspicions that Internet Explorer has a critical unpatched vulnerability, a security researcher said Saturday.
Sunday, Microsoft said it was analyzing the vulnerability.
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
The bug was one of about 100 found by noted browser vulnerability researcher and Google security engineer Michal Zalewski using a new "fuzzing" tool. The vulnerabilities were in IE, Firefox, Chrome, Safari, and Opera.
"I have reasons to believe that the evidently exploitable vulnerability [in IE] discoverable by cross_fuzz is independently known to third parties in China," said Zalewski, referring to the "cross_fuzz" fuzzing utility he created.
According to Zalewski's account, a developer working on WebKit -- the open-source browser engine that powers both Apple's Safari and Google's Chrome -- "accidentally leaked" the location of the then-unreleased fuzzing tool. Google's search engine then added that location to its index.
"On Dec. 30, I received ... search queries from an IP address in China, which matched keywords mentioned in one of the indexed cross_fuzz files," Zalewski said.
Those searches were looking for information on a pair of functions in "Mshtml.dll," IE's browser engine, that Zalewski said were unique to the vulnerability, and that had "absolutely no other mentions on the Internet at that time."
The person or persons searching for the functions then downloaded all the available cross_fuzz files.
"[This] is very strongly indicative of an independent discovery of the same fault condition in [IE] unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely," Zalewski said.
Zalewski released cross_fuzz on Saturday, even though Microsoft had not yet patched any of the IE flaws. Other browser makers, including Mozilla and Opera, as well as the WebKit team, have fixed some -- although not all -- of the bugs Zalewski found using cross_fuzz.