HP’s ZDI discloses new vulnerabilities in Internet Explorer
24 July 2015 | 0
HP’s Zero Day Initiative (ZDI) does not cut much slack with its 120-day disclosure policy. When ZDI knocks on your door and says you have a security hole, you get 120 days to fix it or risk full public disclosure. And that is what happened — again, with ZDI and Microsoft — again. Over Internet Explorer — again.
Rather than spilling all the beans, ZDI offers a tantalising hint at what the problems entail. If the ZDI whistleblowers successfully walk the fine line, they will spur Microsoft to take action without supplying information to the bad guys. All the while, of course, ZDI offers its own protection against the vulnerability, so it is hardly a zero-sum game.
The timeline published by ZDI in this case looks remarkably lenient. ZDI notified Microsoft of the first vulnerability on 12 November 2014. It extended the disclosure deadline to 12 May 2015, then extended it again to July 19. “The vendor [Microsoft] replied with an expected build, but not a date.” With no fix forthcoming, ZDI went public on 22 July.
Here are the vulnerabilities, as reported by ZDI:
- ZDI-15-359: Microsoft Internet Explorer CTableLayout::AddRow Out-Of-Bounds Memory Access Vulnerability
- ZDI-15-360: Microsoft Internet Explorer CAttrArray Use-After-Free Remote Code Execution Vulnerability
- ZDI-15-361: Microsoft Internet Explorer CCurrentStyle Use-After-Free Remote Code Execution Vulnerability
- ZDI-15-362: Microsoft Internet Explorer CTreePos Use-After-Free Remote Code Execution Vulnerability
The general advice is to avoid using Internet Explorer.
Woody Leonhard, IDG News Service