HP’s Zero Day Initiative (ZDI) published proof-of-concept (PoC) code that could end up used to attack a flaw in Internet Explorer 11.
Last year HP ZDI found a bug in Internet Explorer 11’s Address Space Layout Randomization (ASLR) routine and reported it to Microsoft.
HP went public with the flaw in February, when it said HP researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had received a $125,000 bug bounty from Microsoft.
According to HP:
“The February announcement came after the 120-day disclosure timeline had passed, but at the time, we did not disclose further details in the best interests of the ecosystem at large. In other words, Microsoft hadn’t fixed all of the bugs yet, and we wanted to give them a little more time. We were working under the assumption that a fix for all reported bugs was being worked. Unfortunately, Microsoft eventually informed the team a complete fix was not forthcoming.”
As a whole, Microsoft is good at fixing problems, but the problem this time around is the software giant doesn’t want to fix the 32-bit version of IE11.
While Microsoft will not comment, HP said Redmond, WA-based software provider gave two reasons for not fixing the 32-bit bugs: “64-bit versions of IE would benefit the most from ASLR” which is undeniably (if obviously) true, and “MemoryProtect has led to a significant overall decrease of IE case submissions,” which is also undoubtedly the case, but beside the point.
HP’s Dustin Childs gave HP’s reason for full disclosure on the HP ZDI blog:
“Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk. We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations… in order to effectively protect a system, defenders must fully understand the threat. We feel it’s important to let everyone know about the threat so that they could better understand the actual risk to their network. “