Microsoft refuses to fix a known flaw in Internet Explorer 11, and so HP is raising the stakes by publishing proof-of-concept code that could be used to attack the weakness.
Last year HP's highly regarded Zero Day Initiative group found a bug in Internet Explorer 11's Address Space Layout Randomization (ASLR) routine and reported it to Microsoft.
HP went public with the flaw in February, when it announced that HP researchers Brian Gorenc, AbdulAziz Hariri, and Simon Zuckerbraun had received a $125,000 bug bounty from Microsoft. According to HP:
The February announcement came after the 120-day disclosure timeline had passed, but at the time, we did not disclose further details in the best interests of the ecosystem at large. In other words, Microsoft hadn't fixed all of the bugs yet, and we wanted to give them a little more time. We were working under the assumption that a fix for all reported bugs was being worked. Unfortunately, Microsoft eventually informed the team a complete fix was not forthcoming.
The sticking point? Microsoft doesn't want to fix the 32-bit version of IE11.
We still haven't heard Microsoft's side of the story, but according to HP, Microsoft has given two reasons for not fixing the 32-bit bugs: "64-bit versions of IE would benefit the most from ASLR" which is undeniably (if obviously) true; and "MemoryProtect has led to a significant overall decrease of IE case submissions," which is also undoubtedly the case, but beside the point.
Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk. We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations… in order to effectively protect a system, defenders must fully understand the threat. We feel it's important to let everyone know about the threat so that they could better understand the actual risk to their network.
While the remaining security flaw isn't earth-shattering -- it's a bypass of IE11's internal ASLR bug-thwarting capability, not a direct exploit -- and Microsoft has apparently fixed the much more common 64-bit version, it's still unsettling that Microsoft isn't willing to devote the resources to fix the 32-bit version of its flagship Web browser.
IE11 continues to live in Windows 10 -- 32-bit and 64-bit. Will the 32-bit flaw also persist?
It'll be interesting to hear Microsoft's side of the story.
t/h Zak Whittaker, ZDNet