Cybellum is the developer of the first automated vulnerability detection technology on the market. Our platform detects vulnerabilities in compiled code, even when they don’t cause a crash, without performance impact on the tested software.
The week of IE and Edge testing resulted in 4 submissions to MSRC – Microsoft Security Response Center. One of them is the focus of this report. It was disclosed to Microsoft, and classified by them as a non-security issue, with no security impact on customer. There’s no CVE incoming, and the security team isn’t working on a patch.
A separate post was created to show the vulnerability and how it works. It can be found here.
More information about the vulnerabilities we’ve recently submitted can be found on our vulnerabilities page.
The aforementioned type confusion was reported to Microsoft on August 21, and assigned the internal case number MSRC 40325. In our report, we’ve attached the crash.html file and pointed out that “The vulnerability seems to work only if the developer tools are open. With some additional work, it may be possible to reproduce the crash without the developer tools.”
Nine days later, on August 30th, we have received a response:
“Engineering has completed their assessment of this submission. Because of the hard requirement to open developer tools in order to manifest the issue, this submission doesn’t meet the bar for servicing via security update, and will not be assigned a CVE. Engineering tried to find a way to manifest this issue without opening the developer tools but was unable to do so. That being said, we are planning to address this in a future version of IE.”
We disagree. Opening Developer Tools is not a complex, fringe case flow. Sure, it’s not a print dialog, but Dev Tools are frequently used by a large number of users.
Clarification edit: The vulnerability is exposed both when Developer tools are opened, and when a page source is viewed.
Upon voicing our disagreement, we’ve received a further response that sheds the light on Microsoft’s practices when evaluating vulnerabilities. These practices, in our opinion, are not only detrimental to Microsoft’s cooperation with security researchers, but showcase how the company can be arbitrary in its security decisions.
The highlight of their second email is the statement “When the Developer Console is open, users have chosen to alter their application into a more capable, but less secure state“, but there’s so much more there. And so, we’d like to publicly address several points in the email.
“For most cases where an issue is determined to be non-exploitable or a stability issue only, no CVE is assigned, because we only want to assign CVEs to issues that we believe may have some security impact on our customers. ”
Microsoft, it seems, does not think that the Type Confusion we’ve discovered has any security impact on their customers.
“In regards to the submission requiring the Developer Console being open – we do agree that this needs to be fixed, but because of the atypical level of user interaction required, we do not believe that this warrants a CVE. Typical users won’t be using the Developer Console while browsing, and while we understand that users can be tricked into opening this, we don’t believe that this will be a common scenario for a typical user.”
So it’s not about the security impact on IE/Edge users, but about the impact on “typical users”. Not only is this a straw man argument, it’s a dangerous one at that. “Typical users” are whatever Microsoft says they are, a shifting definition with no clear guidelines. Atypical users, defined only as the-ones-that-aren’t-typical, should expect less security.
“When the Developer Console is open, users have chosen to alter their application into a more capable, but less secure state. For example, in Office documents, scripting is disabled by default and a user must enable it manually. However, doing so exposes them to Office document script attacks.”
Microsoft have never before even hinted about Developer Tools altering IE into a less secure state. Moreover, this is nothing like macros in Word, which come with a security warning.
Either this statement does not really represent Microsoft’s true stance on opening the Dev Tools, or they’ve neglected to tell people that opening Dev Tools in IE/Edge might be dangerous. In either case, this is again a position that endangers IE/Edge users.
It’s difficult to infer from one person’s email the official company line of a corporate giant like Microsoft, but you have to remember – security researchers only get this one guy. He speaks for the company, and when he says that this will sometime-maybe-probably be fixed, his is the only response we will ever get.
Behind him, though, there’s a huge machine, and we believe that it had malfunctioned in this case. Bad judgement in both technological and security assessment of a serious vulnerability is not something that should be expected from a security-forward company. CVEs are not assigned as a perk to security researchers, they’re issued for the benefit of the customers.
As mentioned before, we are dismayed that Microsoft refused to label this vulnerability as a security issue, and hope they reconsider. We further hope that Microsoft clarifies its stance on the security impact of opening Dev Tools, and reviews its processes for working with security researchers.
Edit: We’ve toned down the language a bit, without changing any details. This really isn’t the place to be flippant. We’re not happy about this situation, and being snarky does not help anyone.