HP releases exploit code for IE zero-day that Microsoft won’t patch

Despite having paid $125,000 for information about an Address Space Layout Randomisation (ASLR) vulnerability affecting Internet Explorer, Microsoft has decided against patching it because they feel it does not affect the default configuration of IE.

But researchers from the HP Zero Day Initiative who have discovered this zero-day flaw in the first place believe that “concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.”

That’s why they published proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1, and full details about the research and technical details of the attacks, along with tips on how to improve the browser’s defenses.

“Releasing this level of detail about an unfixed bug is not something we normally do, nor do we do it lightly. To be very clear, we are not doing this out of spite or malice,” HP’s Dustin Childs explained. “However, since Microsoft confirmed in correspondence with us they do not plan to take action from this research, we felt the necessity of providing this information to the public. We do so in accordance with the terms of our own ZDI vulnerability-disclosure program.”

He also added that this is not the first a vendor has decided not to fix a problem they think they should, and it surely won’t be the last time.

Unfortunately, the released information is likely to come handy for exploit kit developers.