HP Researchers Disclose Details of Internet Explorer Zero Day

← Back to Stories (view on slashdot.org)

HP Researchers Disclose Details of Internet Explorer Zero Day

Posted by Soulskill on Tuesday June 23, 2015 @10:03AM from the let's-see-if-the-Won't-Fix-tag-can-withstand-PR dept.

Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.

49 comments

Min score:

Reason:

Sort:

Internet Explorer? by ArcadeMan · 2015-06-23 10:18 · Score: 4, Insightful

Even Microsoft doesn't care about Internet Explorer anymore, why should we?

--
Get free satoshi (Bitcoin) and Dogecoins
1. Re:Internet Explorer? by viperidaenz · 2015-06-23 10:23 · Score: 2
  
  They are pushing their new "more secure" Edge browser now.
  If they keep fixing IE, what can they claim Edge is more secure than?
2. Re:Internet Explorer? by Anonymous Coward · 2015-06-23 12:43 · Score: 1
  
  Even Microsoft doesn't care about 32-bit Internet Explorer anymore, why should anyone?
  FTFY
  -AC
IE? by rubycodez · 2015-06-23 10:21 · Score: 0

some people still use that crap?
1. Re:IE? by Travis+Mansbridge · 2015-06-23 10:33 · Score: 1
  
  Exactly what I was thinking. They're right, the vulnerability doesn't effect enough users: it's in Internet Explorer.
2. Re:IE? by KiloByte · 2015-06-23 12:07 · Score: 3, Funny
  
  What else will you download Firefox with on a new system?
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
3. Re:IE? by Anonymous Coward · 2015-06-23 12:46 · Score: 0
  
  You're thinking of IE6. Recent versions of IE are actually quiet zippy and stable. But, as a Linux zealot, you wouldn't know anything about that.
4. Re:IE? by xeno · 2015-06-23 16:38 · Score: 1
  
  I keep hearing this claim, and I see no evidence for it. Shit, I worked for redmond for years, and IE was *never* faster outside of a lab than Firefox, much less Chrome. I didn't particularly care for the immense amount of telemetry that Chrome shipped back to the goog, but it started fast and stayed that way. A fresh copy of IE/WIn8 on the other hand, was zippy for the first few days of use -- almost as fast as firefox on 32 or 64 -- but quickly bogged down with local cache writes and content inspection, tons of default temetry, and helper libraries that could not be unloaded without heading into the registry with an army of villagers weilding pitchforks and torches. Besides, it's UGLY. Why bother with it?
  
  --
  I think not...(*poof*)
5. Re:IE? by fuckface · 2015-06-23 17:47 · Score: 1
  
  What else will you download Firefox with on a new system?
  c:\> ftp ftp.mozilla.org
  n00b.
6. Re: IE? by Anonymous Coward · 2015-06-23 21:11 · Score: 0
  
  Really, ie just magically slowed down after a couple of days? Just stop it already. Unless you managed to infect your computer that quickly there is no way. How many times is someone going to make that claim? The new versions of ie run pretty good, even better with ad blocked installed. No I'm not a fanboy and I use Firefox as my default. But the times when I have to use ie it works just fine, been like that since version 11.
7. Re:IE? by Anonymous Coward · 2015-06-24 01:48 · Score: 0
  
  Why bother with it?
  I have only a handful of reasons to bother with it:
  - Sharepoint sites
  - SSRS sites
  - Web-based network management/monitoring intranet sites (Kaseya, for example)
  - Other seldom-used local intranet sites that require all kinds of JS, Java, or Flash (because I have all that shit locked down or disabled on Firefox). One that I use fairly often is SOTI MobiControl.
  This way, I have a slender list of bookmarks for intranet sites in IE, everything runs in low-security mode because it's LAN-only, and I don't have to worry about shutting down the common attack vectors in IE (again, because it's LAN-only). It leaves my locked-down Firefox configuration to stay focused on keeping bad stuff out and keeps me from accidentally whitelisting something that could cause a problem if used outside the LAN.
8. Re:IE? by rubycodez · 2015-06-26 04:23 · Score: 1
  
  I have to use IE on windows every fucking working day, because certain "enterprise" vendors only make management shit (with flash, of course) that runs on windows. And what's funny is these companies products either use open source OS or core open source services on their products, without fail.
Self-fulfilling statement by davidwr · 2015-06-23 10:25 · Score: 1

So, Microsoft thinks there aren't many people with 32-bit versions of Windows that use vulnerable versions of Internet Explorer.
Even if they are wrong today, they will be right as soon as word of this gets out and people start panicking.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Self-fulfilling statement by cold+fjord · 2015-06-23 10:32 · Score: 1
  
  I doubt that most Windows users will ever hear of it. The vulnerability will probably be around for years to come providing years of entertainment for security professionals and identity theft resolution departments.
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
2. Re:Self-fulfilling statement by bloodhawk · 2015-06-23 10:37 · Score: 5, Interesting
  
  Read the details of the exploit. Even a successful exploitation of this yields Sweet fuck All for the attacker. You need to be running on 32 bit, have some sort of software that publishes cookies on localhost like a local website and all you get is the cookie. The vulnerability would be applicable to a fraction of a percent of machines and even then it isn't exactly giving up the crown jewels.
3. Re:Self-fulfilling statement by Anonymous Coward · 2015-06-23 10:46 · Score: 0
  
  Funny that there are enough people with 32-bit systems to justify a 32-bit version of Windows 10, but not enough of them to patch bugs.
4. Re:Self-fulfilling statement by Raistlin77 · 2015-06-23 11:08 · Score: 1
  
  Except for the US Navy and their shiny new $1.9 million contract to maintain Windows XP. I wonder how many installations are 32-bit...
5. Re:Self-fulfilling statement by Anonymous Coward · 2015-06-23 12:13 · Score: 0
  
  Probably most of them.
6. Re: Self-fulfilling statement by Anonymous Coward · 2015-06-23 21:18 · Score: 0
  
  How many new securtity updates is microsoft providing them for that $9.1 million? A bunch I'm guessing as it was probably part of their contract to make sure that Ie version 8 is kept up to date.
7. Re:Self-fulfilling statement by MagickalMyst · 2015-06-23 23:47 · Score: 1
  
  "So, Microsoft thinks there aren't many people with 32-bit versions of Windows that use vulnerable versions of Internet Explorer."
  
  There are thousands upon thousands of people still running this. I work for a very large national corporation who, unfortunately, still use WinXP and IE7.
  
  --
  Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
8. Re:Self-fulfilling statement by harryjohnston · 2015-06-24 14:47 · Score: 1
  
  I'm not sure IE7 even includes the mitigations that this technique defeats. If you run old software, you're more exposed to bugs - nothing new about that.
9. Re:Self-fulfilling statement by harryjohnston · 2015-06-24 14:54 · Score: 1
  
  No, those are two unrelated issues. There's an exploit against IE that allows an attacker to steal localhost cookies. This affects both 32-bit and 64-bit Windows, and will presumably be patched in due course. Then there's a new counter-mitigation technique, which only affects IE on 32-bit Windows, and which Microsoft apparently aren't planning to fix. That one might allow an attacker, in possession of an exploit that potentially allows code execution, to run code when the mitigation would otherwise have made it impossible - but it is only a counter-mitigation technique, not a vulnerability in and of itself.
10. Re:Self-fulfilling statement by harryjohnston · 2015-06-24 14:56 · Score: 1
  
  It isn't a vulnerability, it's a counter-mitigation technique. So 32-bit Windows isn't as effective at mitigating unknown vulnerabilities as 64-bit Windows; nothing new there.
11. Re:Self-fulfilling statement by harryjohnston · 2015-06-24 14:59 · Score: 1
  
  It isn't actually a bug, but a limitation of the mitigation technique. There's isn't any simple way to fix it.
Was MS wrong? by Anonymous Coward · 2015-06-23 10:27 · Score: 0

The exploit allows attackers to steal cookies for localhost. Great. What, exactly, are you going to do with a stolen localhost cookie? It's a non-routable IP address!
The worst attack I can think of involves CSRF, which is a flaw in the web service.
I think MS was right not to care. Who's running 32 bit Windows in 2015, anyhow?
1. Re:Was MS wrong? by Anonymous Coward · 2015-06-23 10:31 · Score: 0
  
  Who's running 32 bit Windows in 2015, anyhow?
  Some low power/low RAM tablets/hybrids are shipping brand new today with 32-bit windows. 32bit OS can use a smaller memory footprint, and can actually be faster under some workloads.
2. Re:Was MS wrong? by Anonymous Coward · 2015-06-23 10:42 · Score: 1
  
  Who's running 32 bit Windows in 2015, anyhow?
  Some low power/low RAM tablets/hybrids are shipping brand new today with 32-bit windows. 32bit OS can use a smaller memory footprint, and can actually be faster under some workloads.
  and how many of those low powered devices are shipping with a web server or equivalent that is publishing localhost cookies (the second part of the requirement to get anything from the machine).
3. Re:Was MS wrong? by Anonymous Coward · 2015-06-23 11:59 · Score: 0
  
  Who's running 32 bit Windows in 2015, anyhow?
  Some low power/low RAM tablets/hybrids are shipping brand new today with 32-bit windows. 32bit OS can use a smaller memory footprint, and can actually be faster under some workloads.
  and how many of those low powered devices are shipping with a web server or equivalent that is publishing localhost cookies (the second part of the requirement to get anything from the machine).
  Exactly every single one of them. It's how their distributed Information Network operates.
4. Re:Was MS wrong? by Anonymous Coward · 2015-06-23 13:05 · Score: 0
  
  Who's running 32 bit Windows in 2015, anyhow?
  Some low power/low RAM tablets/hybrids are shipping brand new today with 32-bit windows. 32bit OS can use a smaller memory footprint, and can actually be faster under some workloads.
  and how many of those low powered devices are shipping with a web server or equivalent that is publishing localhost cookies (the second part of the requirement to get anything from the machine).
  Exactly every single one of them. It's how their distributed Information Network operates.
  ummm NO. this is about localhost cookies, not cookies distributed across a network. i.e. the only cookies this applies to is cookies requested from the current machine on the localhost address.
5. Re:Was MS wrong? by harryjohnston · 2015-06-24 15:01 · Score: 1
  
  Actually the article confuses two unrelated security issues. Microsoft said they weren't planning to do anything about the counter-mitigation technique, which may allow an attacker to bypass ASLR in IE on 32-bit Windows. The cookie-stealing vulnerability will presumably be patched in due course.
"Having an HTTP (web) server listening locally" by l0n3s0m3phr34k · 2015-06-23 10:38 · Score: 3, Interesting

"is not too rare" per TFA. That seems to be part of said vulnerability. I've had some major clients run a localized IIS / SQL This won't effect the majority of users then, but it will specifically effect a huge number of corporate users. One client that has a setup that would be affected, with 5000+ users...who also have very juicy account info, at least for other large pharma corps who are also doing trials on diabetic drugs, cardio drugs, etc.
1. Re:"Having an HTTP (web) server listening locally" by Anonymous Coward · 2015-06-23 12:48 · Score: 0
  
  They don't just have to have IIS running locally, they also have to be serving cookies from that service, in which case, the "vulnerability" allows the remote hacker to obtain access to..... THE COOKIE...
  So, with a little more information at your disposal, please tell us again how many of those theoretical machines you've identified are going to be impacted AT ALL by this?
  -AC
if you're gonna mis-spell serious do it right by Anonymous Coward · 2015-06-23 10:45 · Score: 0

Siriusly...
1. Re:if you're gonna mis-spell serious do it right by DanJ_UK · 2015-06-24 00:15 · Score: 1
  
  srslah
  
  --
  - Dan
Uh? WTF? by Anonymous Coward · 2015-06-23 11:24 · Score: 0

> but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.
Hi, US Navy. How's life going?
You know, when you think why Munich adopted Linux... this is one of the reasons.
Were we reading the same article? by nickweller · 2015-06-23 13:18 · Score: 1

@anonymous coward: "The exploit allows attackers to steal cookies for localhost"

'The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization' ref
1. Re:Were we reading the same article? by Anonymous Coward · 2015-06-23 14:08 · Score: 0
  
  it seems you only read part of the article. once they have bypassed ASLR, the exploit enables them to steal local host cookies,
2. Re:Were we reading the same article? by harryjohnston · 2015-06-24 14:45 · Score: 1
  
  Those are two unrelated exploits. The advisory on the first exploit doesn't mention ASLR, the white paper on the counter-mitigation technique doesn't mention cookies.
Key exploit mitigation in Internet Explorer by Anonymous Coward · 2015-06-23 13:33 · Score: 0

Does this mean that ASLR and DEP were ineffective in all versions of Windows since WinXP in 2004?
Microsoft: the company that made web browsing, opening email and text editing dangerous
1. Re:Key exploit mitigation in Internet Explorer by harryjohnston · 2015-06-24 15:02 · Score: 1
  
  No more so than before. :-)
  The mitigations that this research affects weren't introduced until 2014 anyway.
If only by bobstreo · 2015-06-23 16:50 · Score: 0

I could have read about this on Secunia, my windows xp would have never had any problems.
Oh wait, I only run linux in my house.
1. Re:If only by Anonymous Coward · 2015-06-23 17:49 · Score: 0
  
  Bravo. I bet you feel so smart running Linux everywhere.
2. Re: If only by Anonymous Coward · 2015-06-23 21:21 · Score: 0
  
  Well isn't that special? Your mom must be proud.
University network by Anonymous Coward · 2015-06-23 17:10 · Score: 0

I wonder if this would affect my university's network.
The IT dept here has never deployed 64bit windows.
When I asked about this because I was surprised to see 32bit windows running on a machine with 8Gigs of RAM they answered that the 64 bit version never went through their (expensive) vetting process.
Because there's a CS dept all machines have an apache server listening on localhost.
1. Re:University network by harryjohnston · 2015-06-24 14:42 · Score: 1
  
  These are two unrelated issues - a vulnerability which affects machines that have web servers running on localhost, and a counter-mitigation technique that affects IE running on 32-bit Windows. Those machines are probably affected by both issues, but the first will probably be patched in due course and the second isn't an exploit as such but a method of making other exploits more effective.
  There are a number of mitigation techniques that either don't exist or aren't as effective on 32-bit Windows. I don't think this one is necessarily a game-changer.
Corrected for you. by Anonymous Coward · 2015-06-23 21:04 · Score: 0

> ... but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems. ... but Microsoft later informed them that they didn't plan to patch the remaining bugs because those are currently in active use as part of NSA e-espionage oparations and all the redmondite are patriotic and loyal american citizens.
Worthless exploits by magamiako1 · 2015-06-23 23:32 · Score: 1

The documented exploits are almost completely worthless, especially: "As for local IP address disclosure, this can be used to map an organization behind a NAT,"

Guess this 'researcher' has never considered using IPv6.
Unrelated vulnerabilities by harryjohnston · 2015-06-24 14:37 · Score: 1

The vulnerability described in the first link appears to be completely unrelated to the vulnerability discussed in the second link. One is a straightforward information exposure vulnerability, the other is a counter-mitigation technique that bypasses ASLR.
I've checked the detailed reports, too; neither "ASLR" nor "mitigation" appear in the first report, and neither "cookies" nor "localhost" appear in the second report. They're from different people and different organizations. Apart from the fact that they both affect IE, they've got nothing to do with one another.