Google’s Project Zero Leaks an Unpatched Microsoft Edge and IE Vulnerability

Both software developers and computer users are seriously worried about an increasing number of cyber attacks. Home PC users, small business, and even huge companies lost millions of dollars after their PCs were hijacked by ransomware viruses, such as Cryptolocker, FBI, Ukash, Locky, and many others. While ransomware attacks are the most severe, there are lots of other methods that hackers use to make a profit by blackmailing people. Tech giants, including Microsoft, have always been working hard to ensure users’ protection, but apparently, there are hundreds of professional programmers among hackers who manage to exploit the least security vulnerabilities. This is an ongoing issue, which is widely discussed on the Internet and various measures are taken to stop hackers from scamming people.

Recently, Microsoft has fallen into an unenviable situation after the Google’s Project Zero security research team has disclosed a severe vulnerability in Microsoft’s Edge and Internet Explorer web browsers at the end of November 2016. The vulnerability (indexed as CVE-2017-0038) is known as a type-confusion bug, which stems from HTML file in which JavaScript reformats the StyleSheet properties of an HTML table. Consequently, the type confusion originates causing the web browser’s security loophole. As National Vulnerability Database pointed out, this bug “allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token-sequence and crafted JavaScript code that operates on a [table-header] element.”

Project Zero informed Microsoft about the IE/Edge flaw on November 25, 2016, and gave 90 days to release the patch. Otherwise, the Project Zero will disclose vulnerability details publicly. Microsoft has acknowledged the issue and, we believe, were working hard to fix the crack, though in vain. It was expected that the fix will be released with the February’s Patch Tuesday, which, unfortunately, has been canceled due to yet unknown reasons. The usual Patch Tuesday is scheduled for March only. Up until Microsoft releases the patch, security experts recommend people to take precautionary measures and rely on Google Chrome (64-bit version) instead of Edge or IE. Besides, switching to Windows 10 from earlier versions is also a highly advisable precautionary measure to take.

Another heated question related to Microsoft’s Edge and IE bug is whether people should trust third-party patches or not. Acros Security has unveiled a temporary patch for an Internet Explorer and Edge Type Confusion Vulnerability, which may prevent the execution of malicious codes. Acros Security is aimed at unpatched vulnerabilities, end-of-life and unsupported products, vulnerable third-party software, and similar. It is pointed out that this patch is applicable for most of the exploitable vulnerabilities (e.g. format strings, binary planting, DLL injections, unchecked buffers, data patching, etc.). Nevertheless, Microsoft does not recommend Windows users to trust third-party patches. While the developers of Acros Security 0patch claim that the patch canceled as soon as the user installs the official patch released by OS vendor. However, according to Security Professional Chris Goettl, “Once Microsoft releases a fix will it install over the top of the changes from 0Patch? If any issues occur it leaves the user\company in a gray area.” Therefore, to get full support and all available fixes from Microsoft, you’d better not allow third parties to modify Microsoft’s components in any way.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The problem solver

Ugnius Kiguolis is the founder and editor-in-chief of UGetFix. He is a professional security specialist and malware analyst who has been working in IT industry for over 20 years.

Contact Ugnius Kiguolis
About the company Esolutions