HP's Zero Day Initiative (ZDI) doesn't cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. That's what happened -- again. With ZDI and Microsoft -- again. Over Internet Explorer -- again.
Rather than spilling all the beans, ZDI offers a tantalizing hint at what the problems entail. If the ZDI whistleblowers successfully walk the fine line, they'll spur Microsoft to take action without supplying information to the bad guys. All the while, of course, ZDI offers its own protection against the vulnerability, so it's hardly a zero-sum game.
The timeline published by ZDI in this case looks remarkably lenient. ZDI notified Microsoft of the first vulnerability on Nov. 12, 2014. It extended the disclosure deadline to May 12, 2015, then extended it again to July 19. "The vendor [Microsoft] replied with an expected build, but not a date." With no fix forthcoming, ZDI went public on July 22.
Here are the vulnerabilities, as reported by ZDI:
- ZDI-15-359: Microsoft Internet Explorer CTableLayout::AddRow Out-Of-Bounds Memory Access Vulnerability
- ZDI-15-360: Microsoft Internet Explorer CAttrArray Use-After-Free Remote Code Execution Vulnerability
- ZDI-15-361: Microsoft Internet Explorer CCurrentStyle Use-After-Free Remote Code Execution Vulnerability
- ZDI-15-362: Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability
The general advice is to avoid using Internet Explorer. Bet you've heard that one before.
UPDATE: Sources close to the fray confirm that three of the four vulnerabilities only appear in the mobile version of Internet Explorer. One, ZDI-15-359, did affect the desktop version, but it's already been patched.