Redmond: IE Win 8.1 defence destroying hack ain't worth patch, natch

'Here's your $125k HP, now GO AWAY'.

HP security research bod Dustin Childs says the company couldn't get Microsoft to patch an IE exploit, so it's gone public.

Childs says the Address Space Layout Randomisation (ASLR) hole affects millions of 32bit systems and should have been patched.

He says his former paymasters at Redmond did not consider the bug 'worth it' even though it paid $125,000 for the disclosure.

"Since Microsoft feels these issues do not impact a default configuration of IE -- thus affecting a large number of customers -- it is in their judgment not worth their resources and the potential regression risk," Childs writes.

"We disagree with that opinion and are releasing the proof-of-concept information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.

"... we’ve handled vulnerabilities and vendor responses for nearly 10 years. This is hardly the first time a vendor has decided not to fix a problem we think they should."

The attack ultimately will become a part of hackers' toolkits when working out ways to break into the latest Internet Explorer installs on the newest Windows platforms.

Childs says the information disclosure and Windows 7 and 8.1 proof-of-concept exploit released under HP's Zero Day Initiative is necessary to inform users.

Microsoft says it did not patch the clever bypass of its important defence mechanism because 64-bit as opposed to the affected 32-bit versions of the web browser derive most benefit from ASLR.

It also leans on the sister defence mechanism MemoryProtect which has led to a large drop in IE exploits.

These skirt the question at hand however, Childs says, because the exploit affects only 32-bit IE platforms and the millions of users operating it.

"Think of it (the exploit) as surgical tools for working around the affects of Memory Protection where possible. MemoryProtection only fully mitigates a subset of use-after-free (UAF) vulnerabilities. Is an ineffective ASLR mitigation worth a 'slight decrease' in UAF vulnerability submissions to Microsoft? It seems that for Microsoft, the answer is yes. UAF vulnerabilities still exist in IE and the ease at which ASLR can be broken only makes IE a more attractive target for attackers."

Childs was formerly Senior Technical Evangelist for Cybersecurity at Microsoft. His video demonstrating the exploit is below. ®

Youtube Video

Keep Reading

Internet Explorer fails to make the cut, banished from Microsoft Teams for good

Someone needs to make a 'Best viewed with anything but IE' badge for websites

Microsoft drives users to the Edge: Internet Explorer to redirect to Chromium-based browser in November

'Hey, you folks heard that there's this virus starting to spread?' – IE, probably

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

Microsoft teases Azure Data Explorer connector for picking its Synapse analytics service's brains

What do you mean you're not on board the Big Data bus?

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

With the robotic process automation market taking off, it wouldn't be like Microsoft to not grab a slice of the action

Ignite Redmond to take baby steps on desktop while established vendors turn gaze to enterprise deployments

Disabled by default: Microsoft ups the ante in its war against VBScript on Internet Explorer

Will the last IE 11 user please turn out the lights?

Biting the hand that feeds IT © 1998–2021