Microsoft vulnerability patched by a third-party firm


ACROS Security has released yet another temporary patch for an Internet Explorer 11 Type Confusion vulnerability that could potentially allow remote code execution.

The vulnerability (CVE-2017-0037) involves a proof of concept that uses a short HTML file in which - upon opening in IE11- JavaScript dynamically reformats StyleSheet properties of an HTML table in a way that causes type confusion, ending in a crash, according to a March 9 blog post.

The patch has been deployed for Windows 10 64bit, Windows 8.1 64bit, Windows 7 64bit and Windows 7 32bit.

“Note that when Microsoft's update fixes this issue, it will replace the vulnerable mshtml.dll and our patch will automatically stop getting applied as it is strictly tied to the vulnerable version of the DLL,” Opatch Team member Luka Treiber said in the blog post.  

The most recent patch comes on the heels of a separate temporary patch that ACROS released for Microsoft vulnerability CVE-2017-0038, which involves the mishandling of Device Independent Bitmaps by EMF metafiles implemented within the Windows Graphic Component GDI library.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.