Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Researchers Disclose Details of Internet Explorer Zero Day

Posted by Soulskill on from the let's-see-if-the-Won't-Fix-tag-can-withstand-PR dept.

Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.

27 of 49 comments (clear)

  1. Internet Explorer? by ArcadeMan · · Score: 4, Insightful

    Even Microsoft doesn't care about Internet Explorer anymore, why should we?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Internet Explorer? by viperidaenz · · Score: 2

      They are pushing their new "more secure" Edge browser now.
      If they keep fixing IE, what can they claim Edge is more secure than?

    2. Re:Internet Explorer? by Anonymous Coward · · Score: 1

      Even Microsoft doesn't care about 32-bit Internet Explorer anymore, why should anyone?

      FTFY

      -AC

  2. Self-fulfilling statement by davidwr · · Score: 1

    So, Microsoft thinks there aren't many people with 32-bit versions of Windows that use vulnerable versions of Internet Explorer.

    Even if they are wrong today, they will be right as soon as word of this gets out and people start panicking.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Self-fulfilling statement by cold+fjord · · Score: 1

      I doubt that most Windows users will ever hear of it. The vulnerability will probably be around for years to come providing years of entertainment for security professionals and identity theft resolution departments.

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    2. Re:Self-fulfilling statement by bloodhawk · · Score: 5, Interesting

      Read the details of the exploit. Even a successful exploitation of this yields Sweet fuck All for the attacker. You need to be running on 32 bit, have some sort of software that publishes cookies on localhost like a local website and all you get is the cookie. The vulnerability would be applicable to a fraction of a percent of machines and even then it isn't exactly giving up the crown jewels.

    3. Re:Self-fulfilling statement by Raistlin77 · · Score: 1

      Except for the US Navy and their shiny new $1.9 million contract to maintain Windows XP. I wonder how many installations are 32-bit...

    4. Re:Self-fulfilling statement by MagickalMyst · · Score: 1

      "So, Microsoft thinks there aren't many people with 32-bit versions of Windows that use vulnerable versions of Internet Explorer."

      There are thousands upon thousands of people still running this. I work for a very large national corporation who, unfortunately, still use WinXP and IE7.

      --
      Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    5. Re:Self-fulfilling statement by harryjohnston · · Score: 1

      I'm not sure IE7 even includes the mitigations that this technique defeats. If you run old software, you're more exposed to bugs - nothing new about that.

    6. Re:Self-fulfilling statement by harryjohnston · · Score: 1

      No, those are two unrelated issues. There's an exploit against IE that allows an attacker to steal localhost cookies. This affects both 32-bit and 64-bit Windows, and will presumably be patched in due course. Then there's a new counter-mitigation technique, which only affects IE on 32-bit Windows, and which Microsoft apparently aren't planning to fix. That one might allow an attacker, in possession of an exploit that potentially allows code execution, to run code when the mitigation would otherwise have made it impossible - but it is only a counter-mitigation technique, not a vulnerability in and of itself.

    7. Re:Self-fulfilling statement by harryjohnston · · Score: 1

      It isn't a vulnerability, it's a counter-mitigation technique. So 32-bit Windows isn't as effective at mitigating unknown vulnerabilities as 64-bit Windows; nothing new there.

    8. Re:Self-fulfilling statement by harryjohnston · · Score: 1

      It isn't actually a bug, but a limitation of the mitigation technique. There's isn't any simple way to fix it.

  3. Re:IE? by Travis+Mansbridge · · Score: 1

    Exactly what I was thinking. They're right, the vulnerability doesn't effect enough users: it's in Internet Explorer.

  4. "Having an HTTP (web) server listening locally" by l0n3s0m3phr34k · · Score: 3, Interesting

    "is not too rare" per TFA. That seems to be part of said vulnerability. I've had some major clients run a localized IIS / SQL This won't effect the majority of users then, but it will specifically effect a huge number of corporate users. One client that has a setup that would be affected, with 5000+ users...who also have very juicy account info, at least for other large pharma corps who are also doing trials on diabetic drugs, cardio drugs, etc.

  5. Re:Was MS wrong? by Anonymous Coward · · Score: 1

    Who's running 32 bit Windows in 2015, anyhow?

    Some low power/low RAM tablets/hybrids are shipping brand new today with 32-bit windows. 32bit OS can use a smaller memory footprint, and can actually be faster under some workloads.

    and how many of those low powered devices are shipping with a web server or equivalent that is publishing localhost cookies (the second part of the requirement to get anything from the machine).

  6. Re:IE? by KiloByte · · Score: 3, Funny

    What else will you download Firefox with on a new system?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  7. Were we reading the same article? by nickweller · · Score: 1

    @anonymous coward: "The exploit allows attackers to steal cookies for localhost"

    'The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization' ref

    1. Re:Were we reading the same article? by harryjohnston · · Score: 1

      Those are two unrelated exploits. The advisory on the first exploit doesn't mention ASLR, the white paper on the counter-mitigation technique doesn't mention cookies.

  8. Re:IE? by xeno · · Score: 1

    I keep hearing this claim, and I see no evidence for it. Shit, I worked for redmond for years, and IE was *never* faster outside of a lab than Firefox, much less Chrome. I didn't particularly care for the immense amount of telemetry that Chrome shipped back to the goog, but it started fast and stayed that way. A fresh copy of IE/WIn8 on the other hand, was zippy for the first few days of use -- almost as fast as firefox on 32 or 64 -- but quickly bogged down with local cache writes and content inspection, tons of default temetry, and helper libraries that could not be unloaded without heading into the registry with an army of villagers weilding pitchforks and torches. Besides, it's UGLY. Why bother with it?

    --
    I think not...(*poof*)
  9. Re:IE? by fuckface · · Score: 1

    What else will you download Firefox with on a new system?

    c:\> ftp ftp.mozilla.org

    n00b.

  10. Worthless exploits by magamiako1 · · Score: 1

    The documented exploits are almost completely worthless, especially: "As for local IP address disclosure, this can be used to map an organization behind a NAT,"

    Guess this 'researcher' has never considered using IPv6.

  11. Re:if you're gonna mis-spell serious do it right by DanJ_UK · · Score: 1

    srslah

    --
    - Dan
  12. Unrelated vulnerabilities by harryjohnston · · Score: 1

    The vulnerability described in the first link appears to be completely unrelated to the vulnerability discussed in the second link. One is a straightforward information exposure vulnerability, the other is a counter-mitigation technique that bypasses ASLR.

    I've checked the detailed reports, too; neither "ASLR" nor "mitigation" appear in the first report, and neither "cookies" nor "localhost" appear in the second report. They're from different people and different organizations. Apart from the fact that they both affect IE, they've got nothing to do with one another.

  13. Re:University network by harryjohnston · · Score: 1

    These are two unrelated issues - a vulnerability which affects machines that have web servers running on localhost, and a counter-mitigation technique that affects IE running on 32-bit Windows. Those machines are probably affected by both issues, but the first will probably be patched in due course and the second isn't an exploit as such but a method of making other exploits more effective.

    There are a number of mitigation techniques that either don't exist or aren't as effective on 32-bit Windows. I don't think this one is necessarily a game-changer.

  14. Re:Was MS wrong? by harryjohnston · · Score: 1

    Actually the article confuses two unrelated security issues. Microsoft said they weren't planning to do anything about the counter-mitigation technique, which may allow an attacker to bypass ASLR in IE on 32-bit Windows. The cookie-stealing vulnerability will presumably be patched in due course.

  15. Re:Key exploit mitigation in Internet Explorer by harryjohnston · · Score: 1

    No more so than before. :-)

    The mitigations that this research affects weren't introduced until 2014 anyway.

  16. Re:IE? by rubycodez · · Score: 1

    I have to use IE on windows every fucking working day, because certain "enterprise" vendors only make management shit (with flash, of course) that runs on windows. And what's funny is these companies products either use open source OS or core open source services on their products, without fail.