Slashdot Mirror

← Back to Stories (view on slashdot.org)

HP Researchers Disclose Details of Internet Explorer Zero Day

Posted by Soulskill on from the let's-see-if-the-Won't-Fix-tag-can-withstand-PR dept.

Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.

The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.

5 of 49 comments (clear)

  1. Internet Explorer? by ArcadeMan · · Score: 4, Insightful

    Even Microsoft doesn't care about Internet Explorer anymore, why should we?

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:Internet Explorer? by viperidaenz · · Score: 2

      They are pushing their new "more secure" Edge browser now.
      If they keep fixing IE, what can they claim Edge is more secure than?

  2. Re:Self-fulfilling statement by bloodhawk · · Score: 5, Interesting

    Read the details of the exploit. Even a successful exploitation of this yields Sweet fuck All for the attacker. You need to be running on 32 bit, have some sort of software that publishes cookies on localhost like a local website and all you get is the cookie. The vulnerability would be applicable to a fraction of a percent of machines and even then it isn't exactly giving up the crown jewels.

  3. "Having an HTTP (web) server listening locally" by l0n3s0m3phr34k · · Score: 3, Interesting

    "is not too rare" per TFA. That seems to be part of said vulnerability. I've had some major clients run a localized IIS / SQL This won't effect the majority of users then, but it will specifically effect a huge number of corporate users. One client that has a setup that would be affected, with 5000+ users...who also have very juicy account info, at least for other large pharma corps who are also doing trials on diabetic drugs, cardio drugs, etc.

  4. Re:IE? by KiloByte · · Score: 3, Funny

    What else will you download Firefox with on a new system?

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.