Redmond: IE Win 8.1 defence destroying hack ain't worth patch, natch

'Here's your $125k HP, now GO AWAY'.


HP security research bod Dustin Childs says the company couldn't get Microsoft to patch an IE exploit, so it's gone public.

Childs says the Address Space Layout Randomisation (ASLR) hole affects millions of 32bit systems and should have been patched.

He says his former paymasters at Redmond did not consider the bug 'worth it' even though it paid $125,000 for the disclosure.

"Since Microsoft feels these issues do not impact a default configuration of IE -- thus affecting a large number of customers -- it is in their judgment not worth their resources and the potential regression risk," Childs writes.

"We disagree with that opinion and are releasing the proof-of-concept information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.

"... we’ve handled vulnerabilities and vendor responses for nearly 10 years. This is hardly the first time a vendor has decided not to fix a problem we think they should."

The attack ultimately will become a part of hackers' toolkits when working out ways to break into the latest Internet Explorer installs on the newest Windows platforms.

Childs says the information disclosure and Windows 7 and 8.1 proof-of-concept exploit released under HP's Zero Day Initiative is necessary to inform users.

Microsoft says it did not patch the clever bypass of its important defence mechanism because 64-bit as opposed to the affected 32-bit versions of the web browser derive most benefit from ASLR.

It also leans on the sister defence mechanism MemoryProtect which has led to a large drop in IE exploits.

These skirt the question at hand however, Childs says, because the exploit affects only 32-bit IE platforms and the millions of users operating it.

"Think of it (the exploit) as surgical tools for working around the affects of Memory Protection where possible. MemoryProtection only fully mitigates a subset of use-after-free (UAF) vulnerabilities. Is an ineffective ASLR mitigation worth a 'slight decrease' in UAF vulnerability submissions to Microsoft? It seems that for Microsoft, the answer is yes. UAF vulnerabilities still exist in IE and the ease at which ASLR can be broken only makes IE a more attractive target for attackers."

Childs was formerly Senior Technical Evangelist for Cybersecurity at Microsoft. His video demonstrating the exploit is below. ®

Youtube Video

Similar topics


Other stories you might like

  • UK Home Secretary delays Autonomy founder extradition decision to mid-December

    Could be a Christmas surprise in store from Priti Patel

    Autonomy Trial Autonomy founder Mike Lynch's pending extradition to the US has been kicked into the long grass again by the UK Home Office.

    Lynch is wanted in the US to stand trial on 17 charges of fraud and false accounting. He is alleged to have defrauded Hewlett Packard investors over the sale of British software firm Autonomy in 2011.

    Continue reading
  • Want to buy your own piece of the Pi? No 'urgency' says Upton of the listing rumours

    A British success story... what happens next?

    Industry talk is continuing to circulate regarding a possible public listing of the UK makers of the diminutive Raspberry Pi computer.

    Over the weekend, The Telegraph reported that a spring listing could be in the offing, with a valuation of more than £370m.

    Pi boss, Eben Upton, described the newspaper's article as "interesting" in an email to The Register today, before repeating that "we're always looking at ways to fund the future growth of the business, but the $45m we raised in September has taken some of the urgency out of that."

    Continue reading
  • All change at JetBrains: Remote development now, new IDE previewed

    Security, collaboration, flexible working: Fleet does it all apparently

    JetBrains has introduced remote development for its range of IDEs as well as previewing a new IDE called Fleet, which will form the basis for fresh tools covering all major programming languages.

    JetBrains has a core IDE used for the IntelliJ IDEA Java tool as well other IDEs such as Android Studio, the official programming environment for Google Android, PyCharm for Python, Rider for C#, and so on. The IDEs run on the Java virtual machine (JVM) and are coded using Java and Kotlin, the latter being primarily a JVM language but with options for compiling to JavaScript or native code.

    Fleet is "both an IDE and a lightweight code editor," said the company in its product announcement, suggesting perhaps that it is feeling some pressure from the success of Microsoft's Visual Studio Code, which is an extensible code editor. Initial language support is for Java, Kotlin, Go, Python, Rust, and JavaScript, though other languages such as C# will follow. Again like VS Code, Fleet can run on a local machine or on a remote server. The new IDE uses technology developed for IntelliJ such as its code-processing engine for features such as code completion and refactoring.

    Continue reading

Biting the hand that feeds IT © 1998–2021