Google Project Zero disclosed Monday a “high severity” vulnerability it found in Microsoft’s Edge and Internet Explorer browsers that could allow remote attackers to execute arbitrary code. The revelation adds yet another vulnerability to a growing list of known bugs Microsoft has been warned about, but is leaving unpatched, this month as it grapples with an undisclosed “issue” that forced it to skip February’s Patch Tuesday release.
This most recent vulnerability was identified by Ivan Fratric, a Google Project Zero researcher, who disclosed it to Microsoft on Nov. 25. In a technical report of the bug, Fratric said he was surprised that Microsoft wasn’t able to patch the vulnerability from the time it was privately disclosed.
“I really didn’t expect this one to miss the deadline,” he wrote.
Earlier this month, Microsoft announced it would skip its regular Patch Tuesday release of security bulletins and patches. As a consequence, Microsoft has also left two other publicly disclosed vulnerabilities unpatched with proof-of-concept exploits available for both. One of those vulnerabilities (CVE-2017-0038), a bug in Windows’ GDI library, was also reported by Google Project Zero. The second (CVE-2017-0016), is tied to a Windows (SMB) file-sharing component and allows adversaries to crash Windows 8.1 and Windows 10. The next scheduled Patch Tuesday is March 14.
As part of Project Zero’s policy, Google will publicly disclose a vulnerability after 90 days have elapsed from the time the bug was privately disclosed – whether or not its has been patched by the company in question.
The vulnerability (CVE-2017-0037) identified by Project Zero on Monday is tied to a flaw in Windows 10 Edge and Internet Explorer 11 and is described as a type of confusion vulnerability in “HandleColumnBreakOnColumnSpanningElement” – a parameter used in website tables. A confusion vulnerability refers to when a web application is tricked into thinking an object is something else.
Project Zero released a proof-of-concept exploit for the bug. However, despite the elapse of 90 days, Fratric said some details were withheld. “I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is,” he wrote.
Project Zero also reported the vulnerability, based on how the browsers handle data within the context rax, can be used to crash the browser and impact uninitialized memory.
“The crash occurs because rax points to uninitialized memory,” wrote Fratric. “An attacker can affect rax by modifying table properties such as border-spacing and the width of the firs TH element,” he explains. “My hypothesis, given that there are 2 types of columns in DOM: html table columns and CSS columns, is that IE/Edge gets confused between the two.”
In lieu of a patch from Microsoft, mitigation is limited, noted Fratric. “Adding a type check somewhere in the vulnerable function might be sufficient, but it also might be just fixing the symptom and not the root cause,” he noted in his research notes.
When asked last week, Microsoft declined to explain why it skipped its February Patch Tuesday release. “This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today,” it explained in a blog post to TechNet.
At the time, Tod Beardsley, senior research director at Rapid7, told Threatpost he could not recall a time when Microsoft has had fixes announced for publicly demonstrable issues, and then failed to release them.
“While there may not be active campaigns to exploit these issues today, the clock does appear to be ticking,” he told Threatpost last week.
Microsoft has addressed some vulnerabilities, despite skipping Patch Tuesday this month. Last week, Microsoft announced the availability of updates that address Adobe Flash Player vulnerabilities impacting its Internet Explorer and Edge browsers that allow attackers to execute remote code.