Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline

Luckily, it just affects Windows Phone

By John Leyden

Posted in Security, 23rd July 2015 11:18 GMT

Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details.

All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows phone) risk, the most serious class of vulnerability.

The existence of the flaws was revealed before patches were published, after Redmond went over the 120-day fix limit that ZDI enforces on this type of vulnerability disclosure.

This isn’t great, but there’s seemingly no need for alarm, as according to independent security bug experts there’s no sign of exploits based on the vulnerabilities.

“It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities, as details are sparse,” explained Wolfgang Kandek, CTO of cloud security firm Qualys, in a brief blog post. “There is not much you can do at the moment, except refrain from using Internet Explorer.”

The long-running Zero Day Initiative, founded by HP acquisition TippingPoint, rewards security researchers for responsibly disclosing vulnerabilities.

TippingPoint develops IPS protection filters at the same time as notifying affected vendors, so that software developers can develop a patch. This means that long before the delivery of a fix, customers of HP TippingPoint’s intrusion prevention kit are defended against attacks that rely on the notified vulnerability.

Microsoft said it was not aware of any miscreants exploiting the four IE vulnerabilities in the wild. ®

[This article has been updated in light of new information from HP's ZDI: the advisories originally said the security bugs are present in Internet Explorer. It has now emerged that the vulnerabilities are present in the mobile edition of the web browser. – ed.]

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

Data shepherd Rubrik herds Microsoft, Oracle users towards its Alta

Now talks to Nutanix AHV, Microsoft Hyper-V and Oracle RMAN

Hurry up patching those Oracle bugs: Attackers aren't waiting

Honeypots swarmed on within three hours of patch release

Oracle scrambles to sew up horrid security holes in PeopleSoft's Tuxedo

Nothing like unauth'd hijacking, Heartbleed-style bugs to patch ASAP

Oracle WebLogic hole primed to pump Monero

Careless cloud customers neglect patch, allowing crypto miners to move in

Oracle corrals and patches Struts 2 vulnerabilities

Big Red issues out-of-band patch for Apache and a few other urgent issues