Google reports high-severity bug in Edge/IE, no patch available (ArsTechnica)

A member of Google’s Project Zero security research team has disclosed a high-severity vulnerability in Microsoft’s Edge and Internet Explorer browsers that reportedly allows attackers to execute malicious code in some instances.

The vulnerability stems from what’s known as a type-confusion bug in Internet Explorer 11 and Microsoft Edge, Project Zero researcher Ivan Fratric said in a report that he sent to Microsoft on November 25 and publicly disclosed on Monday. The disclosure is in line with Google’s policy of publishing vulnerability details 90 days after being privately reported. A proof-of-concept exploit Fratric developed points to data stored in memory that he said “can be controlled by an attacker (with some limitations).” Asked by a commenter how easy it would be to bypass security measures designed to prevent code execution, Fratric wrote: “I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn’t expect this one to miss the deadline).”

Meanwhile, the National Vulnerability Database entry for the bug, which is indexed as CVE-2017-0037, warned that it “allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a [table-header] element.” Microsoft representatives didn’t have a comment at the time this post went live. This post will be updated if they provide one later.

Monday’s disclosure is the second time in a week that Project Zero researchers have disclosed an unpatched security vulnerability in a Microsoft product. Last Monday, Project Zero researcher Mateusz Jurczyk published details of a flaw in Windows that exposes potentially sensitive data stored in computer memory. The two disclosures come after Microsoft canceled February’s regularly scheduled batch of patches for reasons officials have yet to explain. Microsoft officials said they planned to resume the normal Patch Tuesday release cycle in March.

Under Project Zero policy, researchers disclose vulnerability details 90 days after they are privately reported whether the flaw has been patched. Fratric’s disclosure didn’t include any exploit code.

Source: SANS ISC SecNewsFeed @ February 27, 2017 at 02:42PM

0
Share