Compass Security Event 2006 - Internet Explorer Fuzzing and Microsoft Incident Handling
In January 2006, using fuzzing techniques, I discovered the HTML Parsing Vulnerability CVE 2006-1185 in Internet Explorer versions 5.01 to 6.0 SP2. I reported this bug to Microsoft by responsible disclosure which in turn has lead one of the fixes in April’s super Tuesday Internet Explorer cumulative patch MS06-013. But how did I get there?
The whole thing got started in December 2005 with a presentation Ilja van Sprundel held at the 22C3 in Berlin. Since I was working on a new course on content security I thought I will give it a try and play around with fuzzing. I took Michal Zalewski’s mangleme fuzzer, which was already used to identify the IFRAME vulnerability CVE 2004-1050, and modified it to cover all HTML tags which are supported by Internet Explorer.
Within a quarter of an hour I had my first reproducible sample which crashed Internet Explorer. Within the next couple of hours I found additional reproducible crashes. So what was I am going to do? Test Microsoft’s Incident Handling. So I took all the samples and sent them to secure@microsoft.com. After 2 weeks Microsoft confirmed that one of the repros was indeed doing more than crashing the browser. So I had found my first zero-day vulnerablity in a bulk product.
At Compass Security Event 2006 I held a talk on how I fuzzed the bug out of Internet Explorer and how Microsoft has responded to my report. Included was an introduction to fuzzing and a timeline of events from discovery until now. The slides can be found here.