Researchers at an HP security division have publicly detailed four code-execution vulnerabilities that can be used to hijack end-user smartphones running the latest versions of Microsoft's Internet Explorer browser.
The disclosures earlier this week came more than six months after researchers from HP-owned TippingPoint first privately reported the bugs to Microsoft security engineers. According to the advisories published here, here, here, and here, Microsoft officials acknowledged the bugs and in each case asked for an extension beyond the four months TippingPoint officials normally wait before publicly disclosing vulnerabilities. All four of the extensions expired Sunday, leading to the public disclosure of the bugs.
It remains unclear why Microsoft hasn't issued fixes. TippingPoint alerted Microsoft to three of the vulnerabilities in January and one of them last November. A Microsoft spokesman told Ars he was looking in to the matter.
Update:Microsoft has issued a statement that says: "We're aware of the reports regarding Internet Explorer for Windows Phone. A number of factors would need to come into play, and no attacks have been reported. We continue to monitor the situation and will take appropriate steps to protect our customers."
All four of the bugs allow attackers to remotely execute malicious code on end-user mobile devices when they use fully patched versions of IE to visit booby-trapped websites. The bug reported in November also includes a version of IE that runs on Windows Phone