ras-slava - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

HP scares IT teams with Windows Phone critical vulnerabilities

HP's Zero Day Initiative has disclosed four critical vulnerabilities found in Internet Explorer that could lead to remote code execution, but mistakenly labeled them as affecting Windows desktop rather than Windows Phone.

Researchers have found and disclosed four critical vulnerabilities in Internet Explorer (IE) that could result in remote code execution and no patches are available from Microsoft. Unfortunately, the disclosure left out a key word: mobile.

The details of the vulnerabilities -- ZDI-15-359360361 and 362 -- were released through Hewlett-Packard's Zero Day Initiative (ZDI) program. HP's ZDI program is part of the TippingPoint division, which buys information on unpatched, critical vulnerabilities in order to create detection signatures for its malware scanners. However, when first disclosing the vulnerabilities, ZDI didn't label them as flaws in Windows Phone.

According to Microsoft, ZDI notified it of the IE vulnerabilities in Windows in 2014, and Microsoft released patches in July 2014 -- MS14-037 -- and March 2015 -- MS15-018. ZDI then reverse-engineered those vulnerabilities and found that they also affected IE on Windows Phone.

The vulnerabilities in IE mobile were reported to Microsoft, and have now been disclosed because Microsoft did not release a patch within the 120-day window that ZDI offers vendors to remediate issues.

ZDI had not responded to requests for comment as of this writing.

Windows Phone makes up a small minority of the smartphone market as a whole, meaning less risk overall.

"We're aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported," a Microsoft spokesperson said. "We continue to monitor the situation and will take appropriate steps to protect our customers."

Next Steps

Learn more about how responsible a full vulnerability disclosure strategy is

Dig Deeper on Microsoft Patch Tuesday and patch management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you think HP was right to disclose these vulnerabilities? Does your organization use IE?
That's funny, because HP ALM software supports only IE. Their clients have to have Internet Explorer.
I don't think that they were wrong to disclose the vulnerabilities. Consumers have a right to know, after all. I do hope that they issued a correction or clarification, though, if their original statement led people to believe that Windows IE desktop version was affected. The article doesn't make that point clear.
If they did not disclose the vulnerabilities their competition might have. I thinks it's better to be proactive and handle the damage control rather than let your competitors make you look bad. When so many companies are fighting for our dollar, I think there is a rush to market without thorough QA testing.