HP Publishes Exploit Code For Unpatched IE Flaw

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

HP has disclosed the details for a bug it says affects millions of Windows systems, after Microsoft declined to provide a patch

HP’s Zero Day Initiative (ZDI) unit has published the full details of unpatched vulnerabilities it discovered in Microsoft’s Internet Explorer, after Microsoft told the company it didn’t plan to fix all of the problems described.

ZDI, which buys software vulnerability information from third parties and also carries out its own research, normally follows a “responsible disclosure” policy, meaning under most circumstances it wouldn’t publish vulnerability data until after a problem had been fixed.


In this case, however, the unit said Microsoft had made it clear it had no plans to fix the bugs – in spite of having awarded ZDI $125,000 (£79,000) for the research earlier this year.

“We are also releasing a white paper with the technical details of the attacks, including those against default IE configurations, and suggestions for improving IE’s defenses,” wrote ZDI’s Dustin Childs, himself a former Microsoft security official, in a blog post.

The research outlined techniques for attackign the Isolated Heap and MemoryProtection functions in the latest version of IE, as wel as the use of MemoryProtection to bypass Address Space Layout Randomisation (ASLR), a Windows security feature, according to ZDI.

In February, three ZDI researchers were awarded Microsoft’s Mitigation Bypass Bounty and Blue Hat Bonus for Defence for the submission. At the time ZDI said the initial white paper had been presented to Microsoft in October of last year, but wouldn’t be made public until later in the year because the problems hadn’t yet been addressed.

Security bypass

However, Microsoft has now made it clear in correspondence with ZDI that it doesn’t plan to fix one of the key flaws outlined in the research, the bypass of ASLR, arguing it doesn’t affect a default configuration of Internet Explorer, according to Childs.

“We disagree with that opinion and are releasing the proof of concept (PoC) information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations,” Childs stated.

He said the bypass described works on the default configuration of millions of systems, as demonstrated by proof-of-concept code released by ZDI for Windows 7 and Windows 8.1 systems.

“Releasing this level of detail about an unfixed bug is not something we normally do, nor do we do it lightly,” Childs said.

Microsoft did not immediately respond to a request for comment.

Are you a security pro? Try our quiz!