There is a flaw in Windows 10 Edge and Internet Explorer 11 that allows remote attackers to crash the browser. The attackers can also execute arbitrary codes, claims the security arm of Google called Google Project Zero. Details of it were published today.
At first, the issue was taken up directly to Microsoft by Google on November 25. The issue was made public on Friday. This was done because the Project Zero’s 90 day disclosure deadline expired, there is still patch from Microsoft for this flaw in coding. CVE-2017-0037 is the bug being tracked by Google. It describes it as a type confusion issue in HandleColumnBreakOnColumnSpanningElement.
How the Edge and IE crashes can be triggered is reported in Google’s detail note along with the proof of concept exploit details. The bug was found by Ivan Fratric, who is a member of Project Zero. He says that he is surprised that Microsoft didn’t patch the bug before the 90 days were up. Missing the deadline came as a bit of a shock to him.
Project Zero is a team of security analysts empowered by Google
At first Microsoft delayed its patch fixing till March 14 but has not given an explanation as to why. Last week it did patch up Flash Player related bugs in Edge and IE. However, it has failed to address the patch flaw addressed by Project Zero.
The write up by Fratric contains a lot of information to discuss the details of exploitability until Microsoft has patches it. When people asked him about how he would go fixing this coding bug, he replied , “The first step would be to determine why the type confusion occurred in the first place. Adding a type check somewhere in the vulnerable function might be sufficient, but it also might be just fixing the symptom and not the root cause. My hypothesis, given that there are two types of columns in DOM: html table columns and CSS columns, is that IE/Edge gets confused between the two.”
Image via News and Promotion