Menu
Google discloses unpatched IE vulnerability after Patch Tuesday delay

Google discloses unpatched IE vulnerability after Patch Tuesday delay

The flaw might lead to arbitrary code execution, researchers say

Google's Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google's 90-day disclosure deadline.

This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month's Patch Tuesday and postpone its previously planned security fixes until March.

Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a "last minute issue" that could have had an impact on customers, but the company hasn't clarified the nature of the problem.

Some people have speculated that the problem might be related to the Windows Update infrastructure and not a particular fix, but the company pushed out a Flash Player security update on Tuesday, which suggests that if there was an infrastructure problem, it is now resolved.

The newly disclosed vulnerability is a so-called type confusion flaw that affects Microsoft Edge and Internet Explorer and can potentially allow remote attackers to execute arbitrary code on the underlying system.

"No exploit is available, but a PoC [proof-of-concept] demonstrating a crash is," Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. "This PoC may provide a good starting point for anyone who wants to develop a working exploit. Google [Project Zero] even includes some comments on how to possibly achieve code execution."

The Risk Based Security researchers have confirmed the potentially exploitable crash for IE11 on a fully patched Windows 10 system and have assigned a CVSS severity score of 6.8 to it, treating its impact as potential code execution.

On Feb. 14, after Microsoft announced its decision to postpone the February patches, Google Project Zero disclosed a memory disclosure vulnerability in Windows' GDI library.

Another vulnerability that has yet to be patched was publicly disclosed three weeks ago by an independent researcher. The flaw is located in Microsoft's implementation of the SMB network file-sharing protocol and can be exploited to crash Windows computers if attackers trick them into connecting to rogue SMB servers. The researcher who disclosed the vulnerability claimed Microsoft intended to patch it in February.

So, at the moment there are three zero-day vulnerabilities in Microsoft products that the company might have planned to patch on Feb. 14 but didn't. Some security researchers, including Eiram, believe Microsoft should release the patches it has now instead of waiting.

"Even if no exploits are currently available, Microsoft is gambling with their users' security," Eiram said. "If exploits do suddenly surface, Microsoft would likely have to release out-of-band security updates anyway, forcing customers to scramble to apply these fixes. It makes more sense to handle it in a proactive manner."

Software vendors' commitment to monthly patch cycles is understandable as it serves their customers' need to have some predictability about when security updates will need to be applied. However, Eiram believes that sticking to these cycles should never have a higher priority than getting security fixes out in a timely manner.

"Microsoft has always reserved the right to release out-of-band security updates when necessary, and even with no exploits available it is necessary now," he said. "There are three known, unpatched vulnerabilities and at least one of them has code execution potential."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments