HP security research bod Dustin Childs says the company couldn’t get Microsoft to patch an IE exploit, so it’s gone public.
Childs says the Address Space Layout Randomisation (ASLR) hole affects millions of 32bit systems and should have been patched.
He says his former paymasters at Redmond did not consider the bug ‘worth it’ even though it paid $125,000 for the disclosure.
“Since Microsoft feels these issues do not impact a default configuration of IE — thus affecting a large number of customers — it is in their judgment not worth their resources and the potential regression risk,” Childs writes.
“We disagree with that opinion and are releasing the proof-of-concept information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.
“… we’ve handled vulnerabilities and vendor responses for nearly 10 years. This is hardly the first time a vendor has decided not to fix a problem we think they should.”
The attack ultimately will become a part of hackers’ toolkits when working out ways to break into the latest Internet Explorer installs on the newest Windows platforms.
Childs says the information disclosure and Windows 7 and 8.1 proof-of-concept exploit released under HP’s Zero Day Initiative is necessary to inform users.
Microsoft says it did not patch the clever bypass of its important defence mechanism because 64-bit as opposed to the affected 32-bit versions of the web browser derive most benefit from ASLR.
It also leans on the sister defence mechanism MemoryProtect which has led to a large drop in IE exploits.
These skirt the question at hand however, Childs says, because the exploit affects only 32-bit IE platforms and the millions of users operating it.
“Think of it (the exploit) as surgical tools for working around the affects of Memory Protection where possible. MemoryProtection only fully mitigates a subset of use-after-free (UAF) vulnerabilities. Is an ineffective ASLR mitigation worth a ‘slight decrease’ in UAF vulnerability submissions to Microsoft? It seems that for Microsoft, the answer is yes. UAF vulnerabilities still exist in IE and the ease at which ASLR can be broken only makes IE a more attractive target for attackers.”
Childs was formerly Senior Technical Evangelist for Cybersecurity at Microsoft. His video demonstrating the exploit is below.