U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Microsoft will not patch an IE exploit affecting million 32bit systems

Security expert Dustin Childs publicly disclosed a Microsoft IE exploit that affects only 32-bit IE platforms which are currently used by millions of users. The HP security expert Dustin Childs publicly disclosed a Microsoft IE exploit based on a flaw that resides in the Address Space Layout Randomisation (ASLR). The ASLR is a security feature implemented […]

CVE-2020-0674 IE

Security expert Dustin Childs publicly disclosed a Microsoft IE exploit that affects only 32-bit IE platforms which are currently used by millions of users.

The HP security expert Dustin Childs publicly disclosed a Microsoft IE exploit based on a flaw that resides in the Address Space Layout Randomisation (ASLR). The ASLR is a security feature implemented to mitigate buffer overflow attacks. According to the researcher the flaw affects millions of 32bit systems and should have been patched, but Microsoft seems to have a different opinion even though it paid $125,000 for the disclosure.

IE exploit

Microsoft confirmed that the company will take no action to fix the problem, for this reason, the researchers decided to inform the users.

“Today at the RECon conference in Montreal, the team is disclosing full details of the Microsoft Internet Explorer research submitted after receiving confirmation that Microsoft does not intend to patch the Address Space Layout Randomization (ASLR) flaw involved. We are also releasing a white paper with the technical details of the attacks, including those against default IE configurations, and suggestions for improving IE’s defenses.” said Childs. “Since Microsoft feels these issues do not impact a default configuration of IE — thus affecting a large number of customers — it is in their judgment not worth their resources and the potential regression risk,” 

“We disagree with that opinion and are releasing the proof-of-concept information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.

“… we’ve handled vulnerabilities and vendor responses for nearly 10 years. This is hardly the first time a vendor has decided not to fix a problem we think they should.”

Microsoft will not issue the patch because:

  • “64-bit versions of IE would benefit the most from ASLR”
  • “MemoryProtect has led to a significant overall decrease of IE case submissions”

It is easy to predict that the criminal crews worldwide will include the exploit in the numerous crimeware toolkit available in the wild. Exploit kits which will include the flaw could allow an attacker to exploit the flaw in million of Internet Explorer installations on the 32-bit Windows platforms.

Childs disclosed the Windows 7 and 8.1 proof-of-concept exploit under the HP’s Zero Day Initiative, below the video PoC provided by the expert:

Childs confirmed that the Address Space Layout Randomisation exploit affects only 32-bit IE platforms that are currently used by millions of users.

“Think of it (the exploit) as surgical tools for working around the affects of Memory Protection where possible. MemoryProtection only fully mitigates a subset of use-after-free (UAF) vulnerabilities. Is an ineffective ASLR mitigation worth a ‘slight decrease’ in UAF vulnerability submissions to Microsoft? It seems that for Microsoft, the answer is yes. UAF vulnerabilities still exist in IE and the ease at which ASLR can be broken only makes IE a more attractive target for attackers.”

Pierluigi Paganini

(Security Affairs – IE exploit,  Microsoft)