Microsoft won’t fix Internet Explorer zero-day

HP researchers release exploit code after Microsoft declines to issue patch.

HP researchers have published details and proof-of-concept exploit code for a number of zero-day vulnerabilities in Microsoft’s Internet Explorer web browser which allow attackers to bypass a key exploit mitigation.

The researchers – part of HP’s zero-day initiative team – have a policy to only disclose details of bugs reported to vendors after patches are issued.

But the team decided to go public after being informed by Microsoft that it did not intend to fix the bugs as the company feels the vulnerabilities don’t affect enough users.

The flaws were serious enough, however, for Microsoft to earlier award the HP team a US$125,000 bug bounty.

The researchers had discovered that an attacker could fully bypass address space layout randomisation (ASLR) and data execution protection (DEP) in Windows, beating the Isolated Heap and MemoryProtection mitigation measures Microsoft introduced last year for IE.

ASLR makes it difficult for attackers to work out where data is located in a computer’s memory; DEP uses the system processor to mark areas of memory as non-executable, preventing malicious code from running in that space.

The HP team said it reported the vulnerabilities to Microsofft last year and had opted to wait to release full details of the flaws until they were fixed.

However, the security researchers were told by Microsoft that as the flaws didn’t affect 64-bit systems, they would not be patched.

HP researcher Dustin Childs said while Microsoft was technically correct – “a 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective” – millions of 32-bit systems were still at risk from the flaw.

Microsoft’s forthcoming Windows 10 operating system will also have a 32-bit edition.

“To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,” Childs, formerly the group manager of response communications at Microsoft’s security department, wrote.

The exploit abuses the Internet Explorer MemoryProtection protective measure to work out where in memory a certain dynamic link library (DLL) is stored, bypassing ASLR.

By leveraging a use-after-free (UAF) vulnerability, the researchers were able to use the address of the DLL to update a return-oriented programming chain, and transfer execution to it.

This process bypasses the hardware DEP security measure, and the PoC executes a benign shell-code to launch the Windows calculator application.

He said his team had decided to release the proof-of-concept exploit code and full details to arm users with as much information as possible to defend against potential attack.

“Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk,” Childs wrote.

“We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.”

By Allie Coyne, Juha Saarinen
Published in:,microsoft-wont-fix-internet-explorer-zero-day.aspx#ixzz3eUzBwOYD