Project Zero: Disclosed bug in Windows – Research Snipers

Project Zero: Disclosed bug in Windows

project zero

There is a flaw in Windows 10 Edge and Internet Explorer 11 that allows remote attackers to crash the browser. The attackers can also execute arbitrary codes, claims the security arm of Google called Google Project Zero. Details of it were published today.

At first, the issue was taken up directly to Microsoft by Google on November 25. The issue was made public on Friday. This was done because the Project Zero’s 90 day disclosure deadline expired, there is still patch from Microsoft for this flaw in coding. CVE-2017-0037 is the bug being tracked by Google. It describes it as a type confusion issue in HandleColumnBreakOnColumnSpanningElement.

According to Mitre’s description of the issue, any remote attacker can use this bug to execute an arbitrary code on Windows 10 machine. It uses a webpage with a malicious Cascading Style Sheets (CSS) token sequence and JavaScript.

“Microsoft Internet Explorer 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element,” it notes.

How the Edge and IE crashes can be triggered is reported in Google’s detail note along with the proof of concept exploit details. The bug was found by Ivan Fratric, who is a member of Project Zero. He says that he is surprised that Microsoft didn’t patch the bug before the 90 days were up. Missing the deadline came as a bit of a shock to him.

Project Zero is a team of security analysts empowered by Google

At first Microsoft delayed its patch fixing till March 14 but has not given an explanation as to why. Last week it did patch up Flash Player related bugs in Edge and IE. However, it has failed to address the patch flaw addressed by Project Zero.

Read: Google Cloud Platform: GPUs for developer community 

The write up by Fratric contains a lot of information to discuss the details of exploitability until Microsoft has patches it. When people asked him about how he would go fixing this coding bug, he replied , “The first step would be to determine why the type confusion occurred in the first place. Adding a type check somewhere in the vulnerable function might be sufficient, but it also might be just fixing the symptom and not the root cause. My hypothesis, given that there are two types of columns in DOM: html table columns and CSS columns, is that IE/Edge gets confused between the two.”

Image via News and Promotion