Today's release of
MS15-016 (CVE-2015-0061) fixes another of the series of browser memory disclosure bugs found with
afl-fuzz - this time, related to the handling of bi-level (1-bpp) TIFFs in Internet Explorer (yup, MSIE displays TIFFs!). You can check out a simple proof-of-concept
here, or simply enjoy this screenshot of eight subsequent renderings of the same TIFF file:
The vulnerability is conceptually similar to other previously-identified problems with GIF and JPEG handling in popular browsers (
example 1,
example 2), with the SOS handling bug in
libjpeg, or the DHT bug in
libjpeg-turbo (
details here) - so I will try not to repeat the same points in this post.
Instead, I wanted to take note of what really sets this bug apart: Microsoft has addressed it in precisely 60 days, counting form my initial e-mail to the availability of a patch! This struck me as a big deal: although vulnerability research is not my full-time job, I do have a decent sample size - and I don't think I have seen this happen for any of the few dozen MSIE bugs that I reported to MSRC over the past few years. The average patch time always seemed to be closer to 6+ months - coupled with what the somewhat odd practice of withholding attribution in security bulletins and engaging in seemingly punitive PR outreach if the reporter ever went public before that.
I am very excited and hopeful that rapid patching is the new norm - and huge thanks to MSRC folks if so :-)
No comments:
Post a Comment