Network Security, Vulnerability Management

Google Project Zero notifies Microsoft as another bug found but not patched

Google's Project Zero has revealed a bug in Microsoft's Internet Explorer and Edge browsers, whereby if a user were to visit a malicious websites, it could crash the browser, and then execute code.

First found on November 25 last year, the bug works by attacking a type confusion in HandleColumnBreak OnColumnSpanningElement.

The group of Google researchers showed a 17-line proof-of-concept which crashes that process, with a focus on two variables rcx and rax.

“An attacker can affect rax by modifying table properties such as border-spacing and the width of the first th element,” Project Zero's post states – so the crafted Web page just needs to point rax to memory they control.

The Google project operates a strict rule where it notifies companies of bugs in their software, and sets a 90 day deadline for them to issue a fix, or it goes public and reveals it to the world. This bug had gone past the 90 day limit.

“We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk," a Microsoft spokesperson told SC Media. "Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.” 

Earlier this month, Google's Project Zero revealed a bug in Windows' Graphics Component GDI Library before Microsoft had fixed it. The bug in question, reported by Googler Mateusz Jurczyk, allows an attacker to access memory using EMF metafiles.

This story has been updated to include comments from Microsoft. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.