Researchers at HP have unveiled a vulnerability in Internet Explorer for which no security update is available, and Microsoft has indicated that there is no patch will appear. In February this year, the HP researchers received an amount of $ 125,000 from Microsoft for the discovery of a new attack technique and developing a solution.
By using the technique, it was possible to circumvent the security ASLR-IE in the most recent version. ASLR is a measure to abuse vulnerabilities more difficult to make, the researchers decided in February not to reveal the details of the attack, because Microsoft had not yet resolved all the bugs. "We wanted to give them a little more time and assumed that was a solution to any problems reported in the making. Unfortunately, Microsoft did the team finally know that a comprehensive solution would not come," says Dustin Childs HP.
According to Microsoft, the problem would not exist in the default configuration of IP. Something the researchers disagree.They decided therefore to demonstration code to publish the attack, so users can see the problem yourself and determine what measures they should take for their own installations. "We think it's important that everyone knows about this threat, so they can better understand the risk to their network," Childs says. Besides the demonstration code and a YouTube video showing the attack, there is also a white paper (PDF) about the attack and underlying problems put online.
No comments:
Post a Comment