Menu
Google discloses unpatched IE vulnerability after Patch Tuesday delay

Google discloses unpatched IE vulnerability after Patch Tuesday delay

The flaw might lead to arbitrary code execution, researchers say

Google's Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google's 90-day disclosure deadline.

This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month's Patch Tuesday and postpone its previously planned security fixes until March.

Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a "last minute issue" that could have had an impact on customers, but the company hasn't clarified the nature of the problem.

Some people have speculated that the problem might be related to the Windows Update infrastructure and not a particular fix, but the company pushed out a Flash Player security update on Tuesday, which suggests that if there was an infrastructure problem, it is now resolved.

The newly disclosed vulnerability is a so-called type confusion flaw that affects Microsoft Edge and Internet Explorer and can potentially allow remote attackers to execute arbitrary code on the underlying system.

"No exploit is available, but a PoC [proof-of-concept] demonstrating a crash is," Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. "This PoC may provide a good starting point for anyone who wants to develop a working exploit. Google [Project Zero] even includes some comments on how to possibly achieve code execution."

The Risk Based Security researchers have confirmed the potentially exploitable crash for IE11 on a fully patched Windows 10 system and have assigned a CVSS severity score of 6.8 to it, treating its impact as potential code execution.

On Feb. 14, after Microsoft announced its decision to postpone the February patches, Google Project Zero disclosed a memory disclosure vulnerability in Windows' GDI library.

Another vulnerability that has yet to be patched was publicly disclosed three weeks ago by an independent researcher. The flaw is located in Microsoft's implementation of the SMB network file-sharing protocol and can be exploited to crash Windows computers if attackers trick them into connecting to rogue SMB servers. The researcher who disclosed the vulnerability claimed Microsoft intended to patch it in February.

So, at the moment there are three zero-day vulnerabilities in Microsoft products that the company might have planned to patch on Feb. 14 but didn't. Some security researchers, including Eiram, believe Microsoft should release the patches it has now instead of waiting.

"Even if no exploits are currently available, Microsoft is gambling with their users' security," Eiram said. "If exploits do suddenly surface, Microsoft would likely have to release out-of-band security updates anyway, forcing customers to scramble to apply these fixes. It makes more sense to handle it in a proactive manner."

Software vendors' commitment to monthly patch cycles is understandable as it serves their customers' need to have some predictability about when security updates will need to be applied. However, Eiram believes that sticking to these cycles should never have a higher priority than getting security fixes out in a timely manner.

"Microsoft has always reserved the right to release out-of-band security updates when necessary, and even with no exploits available it is necessary now," he said. "There are three known, unpatched vulnerabilities and at least one of them has code execution potential."


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments