CVE-2017-0037 – Google Project Zero discloses another unpatched Microsoft Edge and IE Vulnerability

The researchers at Google’s Project Zero have revealed another flaw, tracked as CVE-2017-0037, that affects Microsoft Edge and IE.

It has happened again, the researchers at Google’s Project Zero have revealed another flaw, tracked as CVE-2017-0037, in Microsoft products.

The flaw affects Microsoft’s Internet Explorer and Edge browsers, it was first reported on November 25 by the Google researcher Ivan Fratric, and Google publicly released the details of the vulnerability as Microsoft did not fix it within its 90-day disclosure deadline.

The CVE-2017-0037 vulnerability, so-called “type confusion flaw,” resides in a module in Microsoft Edge and Internet Explorer that let attackers execute arbitrary code on the target machine when the victim visits a malicious website.

The flaw affects all Windows 7, Windows 8.1, and Windows 10 users.

The researcher has also published a proof-of-concept exploit that can crash Edge and IE, allowing an attacker to execute code and gain administrator privileges on the affected systems.

In the note included in the exploit code, Fratric confirmed that the attack works on the 64-bit version of IE on Windows Server 2012 R2. The flaw affects both 32-bit IE 11, as well as Microsoft Edge.

Giving a look at the technical details of the CVE-2017-0037 vulnerability it is possible to note that it works by attacking a type confusion in

HandleColumnBreak

 OnColumnSpanningElement.

The 17-line proof-of-concept code crashes this process working with the two variables rcx and rax.

“However, an attacker can affect rax by modifying table properties such as border-spacing and the width of the firs th element. Let’s see what happens if an attacker can point rax to the memory he/she controls.” reads the analysis shared by Project Zero Team.

“Assuming an attacker can pass a check on line 00007ffe`8f330a59, MSHTML!Layout::Patchable<Layout::PatchableArrayData<Layout::MultiColumnBox::SMultiColumnBoxItem> >::Readable is called again with the same arguments. After that, through a series of dereferences starting from rax, a function pointer is obtained and stored in rdi. A CFG” 

Earlier this month, Microsoft delayed February’s Patch Tuesday, the experts at Project Zero publicly disclosed the flaw in Windows’ Graphics Device Interface (GDI) library because Microsoft failed to patch it within the 90-day window given by the Google.

On Tuesday Microsoft issued the security updates KB 4010250 that address flaws in Adobe Flash Player, but two already disclosed flaws remain unpatched.

The first flaw is a Windows SMB (Server Message Block) vulnerability that affects Windows 8, Windows 10 and Windows Server. It is a memory corruption vulnerability in the SMBprotocol that can be exploited by a remote attacker, the proof-of-concept exploit code of the flaw was recently publicly released.

The second flaw doesn’t address by the last security updates is the one recently disclosed by the Google Project Zero team that affects Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CVE-2017-0037, Microsoft)