Cross_Fuzz Tool Reveals China/IE 0-Day Link

Google’s Michal Zalewski has released a new security vulnerability testing tool, the cross_fuzz tool, on New Year’s Day announcing the discovery of more than 100 vulnerabilities across multiple browsers, many of them exploitable.

Zalewski also says that an accidental pre-release leak of the address of the fuzzer helped reveal that “third parties in China” apparently also know about an unpatched and exploitable vulnerability that he found in IE with the fuzzer.  On Dec. 30, an IP address in China queried keywords included in one of the indexed cross_fuzz files, DLL functions, BreakAASpecial and BreakCircularMemoryReferences, associated with and unique to the zero-day IE flaw he found with the fuzzer.