back to article Redmond: IE Win 8.1 defence destroying hack ain't worth patch, natch

HP security research bod Dustin Childs says the company couldn't get Microsoft to patch an IE exploit, so it's gone public. Childs says the Address Space Layout Randomisation (ASLR) hole affects millions of 32bit systems and should have been patched. He says his former paymasters at Redmond did not consider the bug 'worth it …

  1. Anonymous Coward
    Linux

    So that's alright then

    "Microsoft says it did not patch the clever bypass of its important defence mechanism because 64-bit as opposed to the affected 32-bit versions of the web browser derive most benefit from ASLR."

    It would appear that 32bit gets no benefit from ASLR now. Never mind, 64bit versions might be fine.

    Somehow I doubt that is _exactly_ what they said.

    1. thames

      Re: So that's alright then

      Microsoft are being a bit vague about it, but it's not clear if there is anything that can be done about it. I do remember reading elsewhere that ASLR on 32 bit systems was a dubious concept to begin with, and that on 64 bit systems people were predicting that ways around it would be found sooner or later. In fact I don't think this is the first 32 bit ASLR exploit, although the previous ones may have been theoretical rather than practical.

      Microsoft added a bunch of exploit mitigation features to Windows a few years ago. That's all they are though, "mitigation", not a substitute for not having security holes in the first place. They're just speed bumps to slow the hackers down, not stop them completely.

      What can be patched is the underlying security hole in Windows or IE (whatever it is, if it exists). Things like ASLR are just supposed to make exploiting those holes more difficult, not impossible.

      1. stizzleswick
        Black Helicopters

        @thames

        "What can be patched is the underlying security hole in Windows or IE" -- you do realize, of course, that many a sysadmin regards Windows as being the underlying security hole?

      2. h4rm0ny

        Re: So that's alright then

        >>"I do remember reading elsewhere that ASLR on 32 bit systems was a dubious concept to begin with, and that on 64 bit systems people were predicting that ways around it would be found sooner or later"

        It's not my area but I understand that with the much smaller address space in 32-bit systems, ASLR's benefit is of much less value because the randomization is of necessity far smaller and therefore less of an obstacle. The thing about ASLR is that it is not a fix, it is a mitigation, that offers some value in conjunction with other techniques. For 32-bit systems MS are essentially saying that the value is not significant. HP are saying that it is.

        I do not know enough about this area to say who is correct. I do think that HP are correct to disclose this now that MS have confirmed they wont fix it.

        >>"What can be patched is the underlying security hole in Windows or IE (whatever it is, if it exists)"

        There isn't a specific underlying security hole in this instance. HP have simply reported a flaw with the mitigation measure itself. MS haven't refused to fix any underlying flaw so far as I am aware.

        1. sabroni Silver badge
          Thumb Up

          @ h4rm0ny

          Thanks, now I understand! Your post makes much more sense than the article!

    2. Dan 55 Silver badge
      Alert

      Re: So that's alright then

      Yet everyone uses 32-bit IE for plug-in compatibility.

      MS should stop being vague about this.

      1. sabroni Silver badge

        Re: Yet everyone uses 32-bit IE for plug-in compatibility.

        No, not everyone uses 32-bit IE for plug-in compatibility. If you reined in the hyperbole a bit you might have a point about a substantial group of users. Or you could just be bitching about something that effects you and your mates. Who knows?

        1. Dan 55 Silver badge

          Re: Yet everyone uses 32-bit IE for plug-in compatibility.

          The chances are that most IE users are still running the 32-bit version:

          - The Start Menu defaults to 32-bit IE.

          - File types/protocols are set up to call 32-bit IE.

          - 64-bit IE cannot be set as the default browser in Internet Options.

          - The main two plugins that everyone wanted, Flash and Java, were 32-bit for a long time which conditioned people's usage of IE.

          - There are many other 32-bit plug-ins that don't have a 64-bit version still.

          So not fixing 32-bit IE is a mistake.

  2. frank ly

    No conditions on the bounty payment?

    If Microsoft paid $125,000 as a bounty on finding the bug, I'm surprised they didn't have non-disclosure conditions on that payment. Maybe there's an industry-wide timeout that's generally recognised - does anybody know?

    1. Kanhef

      Re: No conditions on the bounty payment?

      According to HP, they reported it to Microsoft some eight months ago; their initial report in February said they’d already given Microsoft 120 days to respond. When they sit on a vulnerability in the latest version of one of their flagship products for that long, then decide they don’t want to fix it, they don’t have any right to tell people to not talk about it.

    2. This post has been deleted by its author

  3. Anonymous Coward
    Holmes

    And the solution is?

    ... upgrade for free to Windows 10, of course.

    And if it's not fixed there, there's always Spartan/Edge.

    I'm sure Microsoft consider that they've already provided the solution to this and all future Win7/8.1 exploits, so why bother fixing them elsewhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: And the solution is?

      Because if Microsoft can't find and fix bugs in software thats been around for years, what makes you think their brand new software is bug free?

      Windows 10? After the debacle of Vista and Windows 8 I don't think so.

      1. Anonymous Coward
        Anonymous Coward

        Windows 10?

        After the success of XP and Windows 7? Go on then.

  4. JCitizen
    Coffee/keyboard

    Not doing us OR them any favors..

    I'm surprised they aren't claiming EMET can cover the rest of the mitigation. Oh Well! They don't do themselves any favors for being flippant.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like