ras-slava - Fotolia
Researchers have found and disclosed four critical vulnerabilities in Internet Explorer (IE) that could result in remote code execution and no patches are available from Microsoft. Unfortunately, the disclosure left out a key word: mobile.
The details of the vulnerabilities -- ZDI-15-359, 360, 361 and 362 -- were released through Hewlett-Packard's Zero Day Initiative (ZDI) program. HP's ZDI program is part of the TippingPoint division, which buys information on unpatched, critical vulnerabilities in order to create detection signatures for its malware scanners. However, when first disclosing the vulnerabilities, ZDI didn't label them as flaws in Windows Phone.
According to Microsoft, ZDI notified it of the IE vulnerabilities in Windows in 2014, and Microsoft released patches in July 2014 -- MS14-037 -- and March 2015 -- MS15-018. ZDI then reverse-engineered those vulnerabilities and found that they also affected IE on Windows Phone.
The vulnerabilities in IE mobile were reported to Microsoft, and have now been disclosed because Microsoft did not release a patch within the 120-day window that ZDI offers vendors to remediate issues.
ZDI had not responded to requests for comment as of this writing.
Windows Phone makes up a small minority of the smartphone market as a whole, meaning less risk overall.
"We're aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported," a Microsoft spokesperson said. "We continue to monitor the situation and will take appropriate steps to protect our customers."
Learn more about how responsible a full vulnerability disclosure strategy is