Google reveals Microsoft bug affecting IE and Edge

Google is pretty strict about its Project Zero rules when it comes to disclosure: a company has 90 days to fix the bug after it is informed by Google, after which it is announced to the public. Google did it last week with the announcement of two unpatched bugs, and now it’s doing it again. 

A security flaw in Microsoft Edge and Internet Explorer was first reported to Microsoft Nov. 25, 2016. Microsoft was offered the standard 90-day lead to patch the issue before Google announced it to the world. With the cancellation of this month’s Patch Tuesday, Microsoft failed to issue a fix, and now the bug is out there for the whole world to see. 

The details, if you can understand them, are documented here. Apparently it requires only 17 lines of HTML code to cause the browsers to crash, and it can also cause arbitrary code execution. The attack primarily focuses on two variables: “rcx” and “rax.” 

Google’s Project Zero research team points out an attacker can affect rax by modifying table properties such as border-spacing and the width of the first th element, so the crafted webpage needs to just point rax to memory the attacker controls. 

Leave a Reply

Your email address will not be published. Required fields are marked *