Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange

Please consider donating: https://www.corelan.be/index.php/donate/


6,240 views | This page as PDF

On CVE-2014-1770 / ZDI-14-140 : Internet Explorer 8 "0day"

Hi all,

I have received a ton of questions regarding a recently published ZDI advisory, which provides some details about a bug I discovered and reported to Microsoft (via ZDI), affecting Internet Explorer 8.  I wanted to take a few moments to clarify some of the confusion and answer some of the questions in this post.

1. Advisory vs Exploit

First of all, what was published is an advisory, not an exploit.  The advisory contains *some* details about the bug, but rest assured, it won’t be easy reproduce the vulnerability based on the advisory alone.   In other words, what has been disclosed is the fact that there’s a bug in IE and that it has not been patched (yet) after 180 days.  Some websites reported that "Microsoft won’t fix" the bug. As far as I can tell, this is speculation and may be (partially) right or just wrong. Only Microsoft knows, so we’ll have to wait and see what happens.  Long story short, the actual exploit has not been released and there are no plans to do so at this point in time/before a patch gets released.

2. So this is the only bug in <software> ?

The "Upcoming advisories" list on the ZDI website shows that this is not the only vulnerability that has not been patched (not just in Microsoft software).  The website obviously only lists vulnerabilities that have been reported through ZDI. It’s hard to estimate how many bugs have not been reported (and may be used in the wild as we speak), how many have been reported through other means, or how many bugs have not been identified yet.  In any case, all of the bugs listed on the ZDI page have 2 things in common: they have been reported and a small number of people have details about the bug, due to the fact that it was reported to the vendor via ZDI.  Nothing special here.

Technically, all of those cases put us in the same position – it proves that affected systems are vulnerable. At the same time it doesn’t matter how long it takes for a bug to be patched because there’s always a chance that somebody else has discovered the same bug or another bug and may use it against us whenever he or she wants.  It is also clear that the faster bugs gets fixed, the better; and the more bugs get fixed, the better.  But it doesn’t guarantee 100% security because there’s always a chance a new/different bug was found or will be found. 

Also, until a bug gets fixed, no patch is available.  Surprise surprise, all unpatched bugs are… hmmm… unpatched.

3. If this bug gets patched, we’re safe, right ?  If not, we’re doomed ?

Achieving a zero-bug state in complex software (such as a web browser) is very unlikely.  That’s exactly why Operating Systems (Windows, Unix, Linux, OSX, Android, etc) have adopted additional security measures such as ASLR, DEP, Canaries, etc.   It doesn’t matter what OS or application you’re running. Focusing on just one bug and its time/delay to patch doesn’t really say much about your absolute level of security. We often don’t need to be worried about the known, but about the unknown. We need generic and layered defense, period.   Harden your OS, harden your apps, harden your browser.

4. Is it really a dangerous bug ?

The ZDI advisory looks pretty accurate.  IE8 is affected and arbitrary code execution is definitely possible. As Microsoft indicates, EMET (Enhanced Mitigation Experience Toolkit) will prevent the POC/exploit from achieving arbitrary code execution. In fact, it should be clear by now that installing EMET has become an important layer of defense on your Windows endpoints.  This case simply re-enforces this.  EMET won’t stop every single exploit, but it does increase the cost (for an attacker) to pwn a box. If you’re serious about security, install it. If you don’t care, install it too. It doesn’t matter if you’re using IE or not.

5. 180 days

The fact that the vulnerability was reported back in October 2013 and still has not been patched may sound disconcerting, but I’m sure there must be a very good reason. 180 days is a number, a deadline, a commonly accepted period in which most bugs should get patched.  Sometimes it works, sometimes it doesn’t.   Again, only Microsoft knows exactly why. Everybody agrees that 180 days is a very long time, but I don’t believe this is an indication that Microsoft is ignoring bug reports or doesn’t care about security at all, so let’s not exaggerate things.  In fact, Microsoft is doing an excellent job in handling vulnerability reports, issuing patches and crediting researchers.  I’m sure we can all come up with examples of (small and large) software companies that approach bug reports in a different way.  Additionally, the BlueHat initiative is a good example of being pro-active and providing monetary rewards for cutting-edge security research.

Anyways, I am worried too about a 180-day delay to get a bug fixed.  But I would be really worried if the bug was actively being exploited and left unpatched for another 180 days.

I hope this short post clarifies some of your doubts and answers some of your questions. If not, please feel free to reach out.

cheers

Peter


External links:


© 2014, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

9 Responses to On CVE-2014-1770 / ZDI-14-140 : Internet Explorer 8 "0day"

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories