Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline

Luckily, it just affects Windows Phone

By John Leyden


Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details.

All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows phone) risk, the most serious class of vulnerability.

The existence of the flaws was revealed before patches were published, after Redmond went over the 120-day fix limit that ZDI enforces on this type of vulnerability disclosure.

This isn’t great, but there’s seemingly no need for alarm, as according to independent security bug experts there’s no sign of exploits based on the vulnerabilities.

“It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities, as details are sparse,” explained Wolfgang Kandek, CTO of cloud security firm Qualys, in a brief blog post. “There is not much you can do at the moment, except refrain from using Internet Explorer.”

The long-running Zero Day Initiative, founded by HP acquisition TippingPoint, rewards security researchers for responsibly disclosing vulnerabilities.

TippingPoint develops IPS protection filters at the same time as notifying affected vendors, so that software developers can develop a patch. This means that long before the delivery of a fix, customers of HP TippingPoint’s intrusion prevention kit are defended against attacks that rely on the notified vulnerability.

Microsoft said it was not aware of any miscreants exploiting the four IE vulnerabilities in the wild. ®

[This article has been updated in light of new information from HP's ZDI: the advisories originally said the security bugs are present in Internet Explorer. It has now emerged that the vulnerabilities are present in the mobile edition of the web browser. – ed.]

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Data shepherd Rubrik herds Microsoft, Oracle users towards its Alta

Now talks to Nutanix AHV, Microsoft Hyper-V and Oracle RMAN