Microsoft has worked wonders with Internet Explorer 11 on Windows 8.1, making sure that the platform is more secure than previous iterations. As a result this is the version of the browser that is rarely in the spotlight when it comes to security threats.
Most zero-day flaws and vulnerabilities are discovered on older versions of Internet Explorer.
In fact, Redmond even launched a bug bounty program during development to get help from security researchers — and in turn make these two products as difficult to hack as possible. Well, as the saying goes in computing security, you can never be too secure.
Abdul Aziz Hariri and Matt Molinyawe, two security researchers for the Zero-Day Initiative group at HP have managed to break into IE 11 on Windows 8.1 at Mobile Pwn2Own.
The event was held recently, and HP says that the two researchers found a zero-day flaw in Internet Explorer 11 running on Surface Pro. They managed to launch the built-in Calculator program from the browser, and then got full control of the vulnerable device.
HP provided a few details on its official site:
“The demonstration took advantage of a use-after-free issue in IE 11 to leak an address allowing them to bypass ASLR and DEP. Abdul and Matt launched calc.exe from the browser and also demonstrated a weaponized metasploit module.”
Needless to say, the issue has already been reported to Microsoft, privately.
And we can now expect the software titan to take a look at it and repair the issue in a future Patch Tuesday update. Keep an eye out for the December Patch Tuesday update cycle for more details.