HP researchers have published details and proof-of-concept exploit code for a number of zero-day vulnerabilities in Microsoft’s Internet Explorer web browser which allow attackers to bypass a key exploit mitigation.
The researchers – part of HP’s zero-day initiative team – have a policy to only disclose details of bugs reported to vendors after patches are issued.
But the team decided to go public after being informed by Microsoft that it did not intend to fix the bugs as the company feels the vulnerabilities don’t affect enough users.
The flaws were serious enough, however, for Microsoft to earlier award the HP team a US$125,000 bug bounty.
The researchers had discovered that an attacker could fully bypass address space layout randomisation (ASLR) and data execution protection (DEP) in Windows, beating the Isolated Heap and MemoryProtection mitigation measures Microsoft introduced last year for IE.
ASLR makes it difficult for attackers to work out where data is located in a computer’s memory; DEP uses the system processor to mark areas of memory as non-executable, preventing malicious code from running in that space.
The HP team said it reported the vulnerabilities to Microsofft last year and had opted to wait to release full details of the flaws until they were fixed.
However, the security researchers were told by Microsoft that as the flaws didn’t affect 64-bit systems, they would not be patched.
HP researcher Dustin Childs said while Microsoft was technically correct – “a 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective” – millions of 32-bit systems were still at risk from the flaw.
Microsoft’s forthcoming Windows 10 operating system will also have a 32-bit edition.
“To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,” Childs, formerly the group manager of response communications at Microsoft’s security department, wrote.