Corelan Cybersecurity Research

Hi all,

I have received a ton of questions regarding a recently published ZDI advisory, which provides some details about a bug I discovered and reported to Microsoft (via ZDI), affecting Internet Explorer 8.  I wanted to take a few moments to clarify some of the confusion and answer some of the questions in this post.

1. Advisory vs Exploit

First of all, what was published is an advisory, not an exploit.  The advisory contains *some* details about the bug, but rest assured, it won’t be easy reproduce the vulnerability based on the advisory alone.   In other words, what has been disclosed is the fact that there’s a bug in IE and that it has not been patched (yet) after 180 days.  Some websites reported that "Microsoft won’t fix" the bug. As far as I can tell, this is speculation and may be (partially) right or just wrong. Only Microsoft knows, so we’ll have to wait and see what happens.  Long story short, the actual exploit has not been released and there are no plans to do so at this point in time/before a patch gets released.

2. So this is the only bug in ?

The "Upcoming advisories" list on the ZDI website shows that this is not the only vulnerability that has not been patched (not just in Microsoft software).  The website obviously only lists vulnerabilities that have been reported through ZDI. It’s hard to estimate how many bugs have not been reported (and may be used in the wild as we speak), how many have been reported through other means, or how many bugs have not been identified yet.  In any case, all of the bugs listed on the ZDI page have 2 things in common: they have been reported and a small number of people have details about the bug, due to the fact that it was reported to the vendor via ZDI.  Nothing special here.

Technically, all of those cases put us in the same position – it proves that affected systems are vulnerable. At the same time it doesn’t matter how long it takes for a bug to be patched because there’s always a chance that somebody else has discovered the same bug or another bug and may use it against us whenever he or she wants.  It is also clear that the faster bugs gets fixed, the better; and the more bugs get fixed, the better.  But it doesn’t guarantee 100% security because there’s always a chance a new/different bug was found or will be found. 

Also, until a bug gets fixed, no patch is available.  Surprise surprise, all unpatched bugs are… hmmm… unpatched.

3. If this bug gets patched, we’re safe, right ?  If not, we’re doomed ?

Achieving a zero-bug state in complex software (such as a web browser) is very unlikely.  That’s exactly why Operating Systems (Windows, Unix, Linux, OSX, Android, etc) have adopted additional security measures such as ASLR, DEP, Canaries, etc.   It doesn’t matter what OS or application you’re running. Focusing on just one bug and its time/delay to patch doesn’t really say much about your absolute level of security. We often don’t need to be worried about the known, but about the unknown. We need generic and layered defense, period.   Harden your OS, harden your apps, harden your browser.

4. Is it really a dangerous bug ?

The ZDI advisory looks pretty accurate.  IE8 is affected and arbitrary code execution is definitely possible. As Microsoft indicates, EMET (Enhanced Mitigation Experience Toolkit) will prevent the POC/exploit from achieving arbitrary code execution. In fact, it should be clear by now that installing EMET has become an important layer of defense on your Windows endpoints.  This case simply re-enforces this.  EMET won’t stop every single exploit, but it does increase the cost (for an attacker) to pwn a box. If you’re serious about security, install it. If you don’t care, install it too. It doesn’t matter if you’re using IE or not.

5. 180 days

The fact that the vulnerability was reported back in October 2013 and still has not been patched may sound disconcerting, but I’m sure there must be a very good reason. 180 days is a number, a deadline, a commonly accepted period in which most bugs should get patched.  Sometimes it works, sometimes it doesn’t.   Again, only Microsoft knows exactly why. Everybody agrees that 180 days is a very long time, but I don’t believe this is an indication that Microsoft is ignoring bug reports or doesn’t care about security at all, so let’s not exaggerate things.  In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers.  I’m sure we can all come up with examples of (small and large) software companies that approach bug reports in a different way.  Additionally, the BlueHat initiative is a good example of being pro-active and providing monetary rewards for cutting-edge security research.

Anyways, I am worried too about a 180-day delay to get a bug fixed.  But I would be really worried if the bug was actively being exploited and left unpatched for another 180 days.

I hope this short post clarifies some of your doubts and answers some of your questions. If not, please feel free to reach out.

cheers

Peter

External links:

• http://arstechnica.com/security/2014/05/microsoft-to-fix-critical-ie-bug-that-has-gone-upatched-for-6-months/
• http://www.theregister.co.uk/2014/05/23/redmond_reversal_sees_ie8_patch_in_the_pipeline
• https://community.qualys.com/blogs/laws-of-vulnerabilities/2014/05/22/new-ie8-0-day-by-zdi
• http://www.itfars.com/41877/microsoft-will-patch-ie-zero-day-but-doesnt-give-timeline.html
• http://www.computerworld.com/s/article/9248531/Microsoft_plans_to_patch_IE_zero_day_eventually
• http://www.computerworld.com/s/article/9248521/Bug_bounty_program_outs_7_month_old_IE_zero_day
• http://threatpost.com/microsoft-working-on-patch-for-ie-8-zero-day/106247
• http://www.theregister.co.uk/2014/05/22/ie_8_zero_day_dumped_after_7_months_redmond_says_harden_up/
• http://www.infoworld.com/d/security/microsoft-will-patch-ie-zero-day-eventually-243045
• http://www.scmagazine.com/ie8-zero-day-vulnerability-unpatched-for-months-possibly-millions-at-risk/article/348420/

© 2014 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Similar/Related posts:

Corelan Team reply to false allegation made by Kaspersky HITB2014AMS – Hack In The Box / Haxpo 2014 Amsterdam Ken Ward Zipper exploit write-up on abysssec.com corelanc0d3r featured on Offensive Security Blog Enable incoming icmp (ping) in Vista