HP Discloses Info on an Unpatched Internet Explorer Vulnerability
Microsoft argues that the problem would not be addressed due to the difficulty of exploiting the hole and the small possible target size of the vulnerability.
Researchers at HP have publicly released details on a discovered flaw in Microsoft's Internet Explorer 11 browser on Tuesday.
The hole was discovered by an HP research team in February, which discovered that the flaw could be used to bypass the Address Space Layout Randomization (ASLR) feature, which helps protect memory-targeted attack bugs. The decision to release the information was made after HP Senior Security Content Developer Dustin Childs said that Microsoft had no plans on releasing a fix for the issue. It also adhered to the 120-day disclosure period that has been adopted by many in the tech industry.
"We would prefer to release this level of detail only after the bug is patched," wrote Childs in a blog post. "However, since Microsoft confirmed in correspondence with us they do not plan to take action from this research, we felt the necessity of providing this information to the public. We do so in accordance with the terms of our own ZDI vulnerability-disclosure program."
What makes this situation unique is that not only was Microsoft aware of the issue when first discovered, but it actually paid the HP researchers for discovering it. The company's security team won the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense award earlier in the year and was awarded $125,000, which was ultimately donated to science and engineering education programs.
So why is Microsoft foregoing fixing an issue it paid good money to find out about? Since only 32-bit systems are affected, Microsoft argues that the ASLR flaw would be incredibly difficult to leverage against 32-bit systems. It would be easier to take advantage of the hole in 64-bit systems. However, both Microsoft and HP said that 64-bit users were immune. Childs argues, though, that just because the attack target is small, doesn't mean the issue should be ignored.
"In this situation, Microsoft's statement is technically correct -- 64-bit versions do benefit from ASLR more than 32-bit versions," said Childs. A 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective. However what is lost here is that the bypass described and submitted also works for 32-bit systems, which is the default configuration on millions of systems."
Going a step further, HP also released a proof of concept showing how a 32-bit system can be affected by the flaw. "We disagree with that opinion and are releasing the proof-of-concept information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations."
This is just the latest incident in a string of public disclosures that have been released by tech firms on Microsoft vulnerabilities. In January Microsoft issued a statement condemning Google over the public release of information concerning a Windows 8.1 zero-day flaw, calling it a "gotcha" move by Google that was aimed to embarrass Microsoft.
Microsoft has not commented on today's disclosure.