News Stay informed about the latest enterprise technology news and product updates.

Edge and IE vulnerability disclosed by Project Zero

Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available.

For the second time in one week, Google Project Zero's disclosure policy has uncovered an Edge and IE vulnerability...

without a fix following the cancellation of February's Patch Tuesday release.

According to Ivan Fratric, security researcher for Google Project Zero, the issue is primarily an Internet Explorer (IE) vulnerability that produces mixed results against the new Edge browser, leveraging a type-confusion flaw. Fratric was able to exploit the issue in both browsers, but while commenters on the Project Zero post were able to confirm the IE vulnerability, they could not confirm it in the Edge browser.

The rcx register value "is supposed to point to another object type, but in the [proof of concept], it points to an array of 32-bit integers allocated in [an array that] stores offsets of table columns, and the values can be controlled by an attacker (with some limitations)," Fratric wrote. "The crash occurs because [the rax register] points to uninitialized memory. However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the first element."

Joe Rozner, software security senior engineer at Prevoty, based in Los Angeles, said this appears to be a "very dangerous" IE vulnerability, because it is "remotely exploitable and leads to remote code execution by simply visiting an attacker's page, which makes it a prime for phishing, malvertising and other methods of wide distribution."

"Detecting the exploit before it fires is probably pretty hard, if not impossible, because you'd need to do semantic analysis on the HTML, JavaScript and CSS before anything is rendered to detect the condition," Rozner told SearchSecurity. "The ticket specifically mentions single-process mode as a requirement. It's unclear as to whether it occurs in multiprocess mode, and I don't know how common this is or the business impact of enabling it. It's generally a more secure way to run a browser and could potentially mitigate this."

In a comment on the original post, Fratric refused to discuss how to exploit the Internet Explorer vulnerability because "the report has too much info on that as it is (I really didn't expect this one to miss the deadline)."

Google Project Zero has a 90-day disclosure policy, after which time the details of a bug will automatically become public. It is unclear whether this IE vulnerability would have been fixed in a normal month. But this month, Microsoft cancelled Patch Tuesday, with little explanation.

Neither Google nor Microsoft acknowledged if the two companies had been in contact regarding this specific IE vulnerability following the delay of Patch Tuesday, but Microsoft told SearchSecurity it has asked Google about a more generous disclosure deadline.

"We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline, since the disclosure could potentially put customers at risk," a Microsoft spokesperson said. "Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."

Rozner said it was surprising that Microsoft cancelled Patch Tuesday, "given Microsoft's relatively recent push for improving security and transparency. Perhaps they discovered more bugs in responding and didn't want to publicize them until a fix was ready, or it was just an oversight. Either way, it seems like a poor response."

Next Steps

Learn more about the Windows vulnerability disclosed by Google Project Zero last week.

Find out about doxware and if it is a new threat or just rebranded ransomware.

Get info on a proof-of-concept same-origin policy IE vulnerability.

Dig Deeper on Microsoft Patch Tuesday and patch management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think Google Project Zero should have disclosed this IE vulnerability? Why or why not?
Cancel
I think that it's good that Google is keeping tabs on vulnerabilities, but I think that they should work out a policy that is acceptable to both parties. 90 days does seem a little absurd, at least to disclose to the public, there's no reason for that.
Cancel
The industry appears to be shifting to a standard of 90-days. How long do you think would be fair? 
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close