Four phone hijack bugs revealed in Internet Explorer after Microsoft misses patch deadline

Luckily, it just affects Windows Phone

By John Leyden


Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details.

All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows phone) risk, the most serious class of vulnerability.

The existence of the flaws was revealed before patches were published, after Redmond went over the 120-day fix limit that ZDI enforces on this type of vulnerability disclosure.

This isn’t great, but there’s seemingly no need for alarm, as according to independent security bug experts there’s no sign of exploits based on the vulnerabilities.

“It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities, as details are sparse,” explained Wolfgang Kandek, CTO of cloud security firm Qualys, in a brief blog post. “There is not much you can do at the moment, except refrain from using Internet Explorer.”

The long-running Zero Day Initiative, founded by HP acquisition TippingPoint, rewards security researchers for responsibly disclosing vulnerabilities.

TippingPoint develops IPS protection filters at the same time as notifying affected vendors, so that software developers can develop a patch. This means that long before the delivery of a fix, customers of HP TippingPoint’s intrusion prevention kit are defended against attacks that rely on the notified vulnerability.

Microsoft said it was not aware of any miscreants exploiting the four IE vulnerabilities in the wild. ®

[This article has been updated in light of new information from HP's ZDI: the advisories originally said the security bugs are present in Internet Explorer. It has now emerged that the vulnerabilities are present in the mobile edition of the web browser. – ed.]

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Oracle: Run, don't walk, to patch this critical Database takeover bug

Flaw in House Larry's flagship product allows 'complete compromise' of servers

Prez Trump to host chinwag with Google, Microsoft, Oracle and Qualcomm – report

And Sundar Pichai heads to grilling on Chocolate Factory's data slurping

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Hands up who isn't fighting Oracle in court? HPE, for now, as Solaris support sueball tossed

Judge dismisses Big Red's 2016 copyright claim

Oracle Access Manager is a terrible doorman: Get patching this bug

Security tool can be gamed to let any old riffraff into data

Umm, Oracle – about that patch? It might not be very sticky ...

Security researcher says WebLogic fix can be bypassed, posts proof-of-concept

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Old bugs, new bugs, red bugs … yes, it's Oracle mega-update day again

Out of 284 flaws, 33 are rated critical. Big Red admins have big patches ahead