The HP security expert Dustin Childs publicly disclosed a Microsoft IE exploit based on a flaw that resides in the Address Space Layout Randomisation (ASLR). The ASLR is a security feature implemented to mitigate buffer overflow attacks. According to the researcher the flaw affects millions of 32bit systems and should have been patched, but Microsoft seems to have a different opinion even though it paid $125,000 for the disclosure.
Microsoft confirmed that the company will take no action to fix the problem, for this reason, the researchers decided to inform the users.
“Today at the RECon conference in Montreal, the team is disclosing full details of the Microsoft Internet Explorer research submitted after receiving confirmation that Microsoft does not intend to patch the Address Space Layout Randomization (ASLR) flaw involved. We are also releasing a white paper with the technical details of the attacks, including those against default IE configurations, and suggestions for improving IE’s defenses.” said Childs. “Since Microsoft feels these issues do not impact a default configuration of IE — thus affecting a large number of customers — it is in their judgment not worth their resources and the potential regression risk,”
“We disagree with that opinion and are releasing the proof-of-concept information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.
“… we’ve handled vulnerabilities and vendor responses for nearly 10 years. This is hardly the first time a vendor has decided not to fix a problem we think they should.”
Microsoft will not issue the patch because:
It is easy to predict that the criminal crews worldwide will include the exploit in the numerous crimeware toolkit available in the wild. Exploit kits which will include the flaw could allow an attacker to exploit the flaw in million of Internet Explorer installations on the 32-bit Windows platforms.
Childs disclosed the Windows 7 and 8.1 proof-of-concept exploit under the HP’s Zero Day Initiative, below the video PoC provided by the expert:
Childs confirmed that the Address Space Layout Randomisation exploit affects only 32-bit IE platforms that are currently used by millions of users.
“Think of it (the exploit) as surgical tools for working around the affects of Memory Protection where possible. MemoryProtection only fully mitigates a subset of use-after-free (UAF) vulnerabilities. Is an ineffective ASLR mitigation worth a ‘slight decrease’ in UAF vulnerability submissions to Microsoft? It seems that for Microsoft, the answer is yes. UAF vulnerabilities still exist in IE and the ease at which ASLR can be broken only makes IE a more attractive target for attackers.”
(Security Affairs – IE exploit, Microsoft)