James Thew - Fotolia
For the second time in one week, Google Project Zero's disclosure policy has uncovered an Edge and IE vulnerability without a fix following the cancellation of February's Patch Tuesday release.
According to Ivan Fratric, security researcher for Google Project Zero, the issue is primarily an Internet Explorer (IE) vulnerability that produces mixed results against the new Edge browser, leveraging a type-confusion flaw. Fratric was able to exploit the issue in both browsers, but while commenters on the Project Zero post were able to confirm the IE vulnerability, they could not confirm it in the Edge browser.
The rcx register value "is supposed to point to another object type, but in the [proof of concept], it points to an array of 32-bit integers allocated in [an array that] stores offsets of table columns, and the values can be controlled by an attacker (with some limitations)," Fratric wrote. "The crash occurs because [the rax register] points to uninitialized memory. However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the first element."
Joe Rozner, software security senior engineer at Prevoty, based in Los Angeles, said this appears to be a "very dangerous" IE vulnerability, because it is "remotely exploitable and leads to remote code execution by simply visiting an attacker's page, which makes it a prime for phishing, malvertising and other methods of wide distribution."
In a comment on the original post, Fratric refused to discuss how to exploit the Internet Explorer vulnerability because "the report has too much info on that as it is (I really didn't expect this one to miss the deadline)."
Google Project Zero has a 90-day disclosure policy, after which time the details of a bug will automatically become public. It is unclear whether this IE vulnerability would have been fixed in a normal month. But this month, Microsoft cancelled Patch Tuesday, with little explanation.
Neither Google nor Microsoft acknowledged if the two companies had been in contact regarding this specific IE vulnerability following the delay of Patch Tuesday, but Microsoft told SearchSecurity it has asked Google about a more generous disclosure deadline.
"We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline, since the disclosure could potentially put customers at risk," a Microsoft spokesperson said. "Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."
Rozner said it was surprising that Microsoft cancelled Patch Tuesday, "given Microsoft's relatively recent push for improving security and transparency. Perhaps they discovered more bugs in responding and didn't want to publicize them until a fix was ready, or it was just an oversight. Either way, it seems like a poor response."
Learn more about the Windows vulnerability disclosed by Google Project Zero last week.
Find out about doxware and if it is a new threat or just rebranded ransomware.
Get info on a proof-of-concept same-origin policy IE vulnerability.