James Thew - Fotolia
Edge and IE vulnerability disclosed by Project Zero
Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available.
For the second time in one week, Google Project Zero's disclosure policy has uncovered an Edge and IE vulnerability without a fix following the cancellation of February's Patch Tuesday release.
According to Ivan Fratric, security researcher for Google Project Zero, the issue is primarily an Internet Explorer (IE) vulnerability that produces mixed results against the new Edge browser, leveraging a type-confusion flaw. Fratric was able to exploit the issue in both browsers, but while commenters on the Project Zero post were able to confirm the IE vulnerability, they could not confirm it in the Edge browser.
The rcx register value "is supposed to point to another object type, but in the [proof of concept], it points to an array of 32-bit integers allocated in [an array that] stores offsets of table columns, and the values can be controlled by an attacker (with some limitations)," Fratric wrote. "The crash occurs because [the rax register] points to uninitialized memory. However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the first element."
Joe Rozner, software security senior engineer at Prevoty, based in Los Angeles, said this appears to be a "very dangerous" IE vulnerability, because it is "remotely exploitable and leads to remote code execution by simply visiting an attacker's page, which makes it a prime for phishing, malvertising and other methods of wide distribution."
"Detecting the exploit before it fires is probably pretty hard, if not impossible, because you'd need to do semantic analysis on the HTML, JavaScript and CSS before anything is rendered to detect the condition," Rozner told SearchSecurity. "The ticket specifically mentions single-process mode as a requirement. It's unclear as to whether it occurs in multiprocess mode, and I don't know how common this is or the business impact of enabling it. It's generally a more secure way to run a browser and could potentially mitigate this."
In a comment on the original post, Fratric refused to discuss how to exploit the Internet Explorer vulnerability because "the report has too much info on that as it is (I really didn't expect this one to miss the deadline)."
Google Project Zero has a 90-day disclosure policy, after which time the details of a bug will automatically become public. It is unclear whether this IE vulnerability would have been fixed in a normal month. But this month, Microsoft cancelled Patch Tuesday, with little explanation.
Neither Google nor Microsoft acknowledged if the two companies had been in contact regarding this specific IE vulnerability following the delay of Patch Tuesday, but Microsoft told SearchSecurity it has asked Google about a more generous disclosure deadline.
"We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline, since the disclosure could potentially put customers at risk," a Microsoft spokesperson said. "Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."
Rozner said it was surprising that Microsoft cancelled Patch Tuesday, "given Microsoft's relatively recent push for improving security and transparency. Perhaps they discovered more bugs in responding and didn't want to publicize them until a fix was ready, or it was just an oversight. Either way, it seems like a poor response."