This article is more than 1 year old
Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline
Luckily, it just affects Windows Phone
Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details.
All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows phone) risk, the most serious class of vulnerability.
The existence of the flaws was revealed before patches were published, after Redmond went over the 120-day fix limit that ZDI enforces on this type of vulnerability disclosure.
This isn’t great, but there’s seemingly no need for alarm, as according to independent security bug experts there’s no sign of exploits based on the vulnerabilities.
“It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities, as details are sparse,” explained Wolfgang Kandek, CTO of cloud security firm Qualys, in a brief blog post. “There is not much you can do at the moment, except refrain from using Internet Explorer.”
The long-running Zero Day Initiative, founded by HP acquisition TippingPoint, rewards security researchers for responsibly disclosing vulnerabilities.
TippingPoint develops IPS protection filters at the same time as notifying affected vendors, so that software developers can develop a patch. This means that long before the delivery of a fix, customers of HP TippingPoint’s intrusion prevention kit are defended against attacks that rely on the notified vulnerability.
Microsoft said it was not aware of any miscreants exploiting the four IE vulnerabilities in the wild. ®
[This article has been updated in light of new information from HP's ZDI: the advisories originally said the security bugs are present in Internet Explorer. It has now emerged that the vulnerabilities are present in the mobile edition of the web browser. – ed.]