HP Researchers Disclose Details of Internet Explorer Zero Day 49
Trailrunner7 writes: Researchers at HP's Zero Day Initiative have disclosed full details and proof-of-concept exploit code for a series of bugs they discovered that allow attackers to bypass a key exploit mitigation in Internet Explorer. The disclosure is a rarity for ZDI. The company typically does not publish complete details and exploit code for the bugs it reports to vendors until after the vulnerabilities are fixed. But in this case, Microsoft has told the researchers that the company doesn't plan to fix the vulnerabilities, even though the bugs were serous enough to win ZDI's team a $125,000 Blue Hat Bonus from Microsoft. The reason: Microsoft doesn't think the vulnerabilities affect enough users.
The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.
The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization), one of the many mitigations in IE that help prevent successful exploitation of certain classes of bugs. ZDI reported the bugs to Microsoft last year and disclosed some limited details of them in February. The researchers waited to release the full details until Microsoft fixed all of the flaws, but Microsoft later informed them that they didn't plan to patch the remaining bugs because they didn't affect 64-bit systems.
Internet Explorer? (Score:5, Insightful)
Even Microsoft doesn't care about Internet Explorer anymore, why should we?
Re: (Score:3)
They are pushing their new "more secure" Edge browser now.
If they keep fixing IE, what can they claim Edge is more secure than?
Re: (Score:1)
Even Microsoft doesn't care about 32-bit Internet Explorer anymore, why should anyone?
FTFY
-AC
IE? (Score:1)
some people still use that crap?
Re: (Score:1)
Re:IE? (Score:4, Funny)
What else will you download Firefox with on a new system?
Re: (Score:1)
What else will you download Firefox with on a new system?
c:\> ftp ftp.mozilla.org
n00b.
Re: (Score:2)
I keep hearing this claim, and I see no evidence for it. Shit, I worked for redmond for years, and IE was *never* faster outside of a lab than Firefox, much less Chrome. I didn't particularly care for the immense amount of telemetry that Chrome shipped back to the goog, but it started fast and stayed that way. A fresh copy of IE/WIn8 on the other hand, was zippy for the first few days of use -- almost as fast as firefox on 32 or 64 -- but quickly bogged down with local cache writes and content inspection,
Re: (Score:2)
I have to use IE on windows every fucking working day, because certain "enterprise" vendors only make management shit (with flash, of course) that runs on windows. And what's funny is these companies products either use open source OS or core open source services on their products, without fail.
Self-fulfilling statement (Score:1)
So, Microsoft thinks there aren't many people with 32-bit versions of Windows that use vulnerable versions of Internet Explorer.
Even if they are wrong today, they will be right as soon as word of this gets out and people start panicking.
Re: (Score:2)
I doubt that most Windows users will ever hear of it. The vulnerability will probably be around for years to come providing years of entertainment for security professionals and identity theft resolution departments.
Re: (Score:2)
It isn't a vulnerability, it's a counter-mitigation technique. So 32-bit Windows isn't as effective at mitigating unknown vulnerabilities as 64-bit Windows; nothing new there.
Re:Self-fulfilling statement (Score:5, Interesting)
Read the details of the exploit. Even a successful exploitation of this yields Sweet fuck All for the attacker. You need to be running on 32 bit, have some sort of software that publishes cookies on localhost like a local website and all you get is the cookie. The vulnerability would be applicable to a fraction of a percent of machines and even then it isn't exactly giving up the crown jewels.
Re: (Score:2)
No, those are two unrelated issues. There's an exploit against IE that allows an attacker to steal localhost cookies. This affects both 32-bit and 64-bit Windows, and will presumably be patched in due course. Then there's a new counter-mitigation technique, which only affects IE on 32-bit Windows, and which Microsoft apparently aren't planning to fix. That one might allow an attacker, in possession of an exploit that potentially allows code execution, to run code when the mitigation would otherwise have
Re: (Score:2)
It isn't actually a bug, but a limitation of the mitigation technique. There's isn't any simple way to fix it.
Re: (Score:2)
Re: (Score:1)
There are thousands upon thousands of people still running this. I work for a very large national corporation who, unfortunately, still use WinXP and IE7.
Re: (Score:2)
I'm not sure IE7 even includes the mitigations that this technique defeats. If you run old software, you're more exposed to bugs - nothing new about that.
Re: (Score:1)
Who's running 32 bit Windows in 2015, anyhow?
Some low power/low RAM tablets/hybrids are shipping brand new today with 32-bit windows. 32bit OS can use a smaller memory footprint, and can actually be faster under some workloads.
and how many of those low powered devices are shipping with a web server or equivalent that is publishing localhost cookies (the second part of the requirement to get anything from the machine).
Were we reading the same article? (Score:2)
'The vulnerabilities that the ZDI researchers submitted to Microsoft enable an attacker to fully bypass ASLR (address space layout randomization [benpfaff.org]' ref [threatpost.com]
Re: (Score:2)
Those are two unrelated exploits. The advisory on the first exploit doesn't mention ASLR, the white paper on the counter-mitigation technique doesn't mention cookies.
Re: (Score:2)
Actually the article confuses two unrelated security issues. Microsoft said they weren't planning to do anything about the counter-mitigation technique, which may allow an attacker to bypass ASLR in IE on 32-bit Windows. The cookie-stealing vulnerability will presumably be patched in due course.
"Having an HTTP (web) server listening locally" (Score:4, Interesting)
Re: (Score:1)
Re: (Score:2)
No more so than before. :-)
The mitigations that this research affects weren't introduced until 2014 anyway.
If only (Score:1)
I could have read about this on Secunia, my windows xp would have never had any problems.
Oh wait, I only run linux in my house.
Re: (Score:2)
These are two unrelated issues - a vulnerability which affects machines that have web servers running on localhost, and a counter-mitigation technique that affects IE running on 32-bit Windows. Those machines are probably affected by both issues, but the first will probably be patched in due course and the second isn't an exploit as such but a method of making other exploits more effective.
There are a number of mitigation techniques that either don't exist or aren't as effective on 32-bit Windows. I don't
Worthless exploits (Score:2)
Guess this 'researcher' has never considered using IPv6.
Unrelated vulnerabilities (Score:2)
The vulnerability described in the first link appears to be completely unrelated to the vulnerability discussed in the second link. One is a straightforward information exposure vulnerability, the other is a counter-mitigation technique that bypasses ASLR.
I've checked the detailed reports, too; neither "ASLR" nor "mitigation" appear in the first report, and neither "cookies" nor "localhost" appear in the second report. They're from different people and different organizations. Apart from the fact that th