Zero-day treasure hunt: Researcher hides IE attack on Web

Security researcher Aviv Raff has published code that would allow someone to take control of a computer running Internet Explorer, but there's a catch. He's not saying exactly where he's hidden the attack.

"Somewhere in my blog, I embedded a proof-of-concept code that exploits this zero-day vulnerability," Raff wrote in a Wednesday blog posting. A zero-day attack is a previously undisclosed software flaw that has not been fixed by the software maker.

The bug, which affects Internet Explorer 7 and IE 8, could allow an attacker to run unauthorized software on a victim's computer. Raff informed Microsoft of the flaw on Tuesday and the software vendor has not yet patched it, Raff said.

Microsoft didn't get much time to fix the bug, but Raff said he didn't feel that Microsoft would address the issue quickly unless he went public with the vulnerability.

When he has followed Microsoft's responsible disclosure guidelines in the past, the company has been too slow to fix bugs, he said via instant message. "The last time I used their Responsible Disclosure policy it took them six months to fix one line of code."

For Raff's attack to work, the hacker would first have to put a small amount of HTML code on a Web site and then persuade the victim to use a specific Internet Explorer feature on that site, he said.

The Israeli hacker said that the idea of disclosing his attack in a treasure hunt came from a local custom of playing such games during Israel's Independence Day, which falls on Thursday.

Raff has put the code on his own Web site, and he will offer clues as to what people must do to trigger the flaw over the next few days. When triggered, Raff's proof-of-concept code launches two copies of Microsoft's calculator software on the victim's computer, but it could be altered to do something malicious.

Next Wednesday, he will release full details of the bug along with his proof-of-concept code.

Microsoft was unable to immediately comment for this story.