Google: We're puzzled Windows 10's Edge, IE flaw hasn't been patched by Microsoft
Google's report contains a proof-of-concept exploit detailing how crashes in Windows 10 Edge and Internet Explorer 11 can be triggered.
Google's Project Zero security arm has published details of a flaw in Windows 10 Edge and Internet Explorer 11 that would allow remote attackers to crash the browsers and execute arbitrary code.
Google reported the issue to Microsoft on November 25 and revealed the bug on Friday when Project Zero's 90-day disclosure deadline expired, despite the lack of a patch from Microsoft.
The bug is being tracked as CVE-2017-0037, which Google describes as a type confusion issue in HandleColumnBreakOnColumnSpanningElement.
A remote attacker could use this bug to execute arbitrary code on a Windows 10 machine by using a webpage with a malicious Cascading Style Sheets (CSS) token sequence and JavaScript, according to Mitre's description of the issue.
"Microsoft Internet Explorer 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element," it notes.
Google's report contains a proof-of-concept exploit detailing how the crashes in Edge and IE can be triggered.
Ivan Fratric, the Project Zero member who found the bug, says he is surprised Microsoft didn't patch this bug before its 90 days were up.
"I really didn't expect this one to miss the deadline," he wrote.
Microsoft delayed its February 2017 patch until March 14 but hasn't explained why. It did patch Flash Player-related bugs in Edge and Internet Explorer last week, but didn't address another Windows flaw disclosed by Project Zero.
Fratric notes that his write-up contains too much information to discuss details of exploitability until Microsoft has patched it.
Asked what he would do to patch the bug, Fratric replied: "The first step would be to determine why the type confusion occurred in the first place. Adding a type check somewhere in the vulnerable function might be sufficient, but it also might be just fixing the symptom and not the root cause. My hypothesis, given that there are two types of columns in DOM: html table columns and CSS columns, is that IE/Edge gets confused between the two."