Go Back   RGN - Reliable Global News > RGN Member Lounge > Science, Tech & Computer News

Science, Tech & Computer News Discussions about the News, Hardware and Software

Reply
 
Thread Tools Display Modes

Google Reports "High-Severity" Bug in Edge/IE, NO Patch Available
  #1  
Old 02-28-2017, 07:53 AM
RFMariano's Avatar
RFMariano RFMariano is offline
Site Owner - Administrator
 
Join Date: Aug 2006
Location: Florida, USA
Age: 75
Posts: 13,357
Rep Power: 185
RFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to beholdRFMariano is a splendid one to behold
Default Google Reports "High-Severity" Bug in Edge/IE, NO Patch Available






Google Reports;

High-Severity Bug in Edge/IE,
NO Patch Available




By Dan Goodin - 2/27/2017, 4:05 PM

A member of Google's Project Zero security research team has disclosed a high-severity vulnerability in Microsoft's Edge and Internet Explorer browsers that reportedly allows attackers to execute malicious code in some instances.

The vulnerability stems from what's known as a type-confusion bug in Internet Explorer 11 and Microsoft Edge, Project Zero researcher Ivan Fratric said in a report that he sent to Microsoft on November 25 and publicly disclosed on Monday. The disclosure is in line with Google's policy of publishing vulnerability details 90 days after being privately reported. A proof-of-concept exploit Fratric developed points to data stored in memory that he said "can be controlled by an attacker (with some limitations)." Asked by a commenter how easy it would be to bypass security measures designed to prevent code execution, Fratric wrote: "I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline)."

Meanwhile, the National Vulnerability Database entry for the bug, which is indexed as CVE-2017-0037, warned that it "allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a [table-header] element."

Monday's disclosure is the second time in a week that Project Zero researchers have disclosed an unpatched security vulnerability in a Microsoft product. Last Monday, Project Zero researcher Mateusz Jurczyk published details of a flaw in Windows that exposes potentially sensitive data stored in computer memory. The two disclosures come after Microsoft canceled February's regularly scheduled batch of patches for reasons officials have yet to explain. Microsoft officials said they planned to resume the normal Patch Tuesday release cycle in March.

Under Project Zero policy, researchers disclose vulnerability details 90 days after they are privately reported whether the flaw has been patched. Fratric's disclosure didn't include any exploit code.

Further Reading
Op-ed: Windows 10 0day exploit goes wild, and so do Microsoft marketers
Those two Project Zero disclosures come on top of the release of a proof-of-concept zero-day that exploits a bug in Microsoft's server message block file server protocol. Researcher Laurent Gaffie privately reported the bug to Microsoft in December and published details in early February after Microsoft failed to fix it. The exploit allows attackers to remotely crash vulnerable computers that maintain an outgoing file share on the Internet. In a statement issued after this post went live, a Microsoft spokesman wrote:

"We believe in coordinated vulnerability disclosure, and we’ve had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk. Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."

The statement provided no suggested mitigations Windows users can follow to protect themselves.

With the canceling of February's Patch Tuesday, it wouldn't be surprising if other unpatched vulnerabilities come to light in the next two weeks. So far, there are no reports of any of the flaws being actively exploited in the wild.

Windows users who want to take extra precautions should consider using the Chrome browser instead of Edge or IE until the latter two browsers are patched. Additionally, people should strongly consider moving to Windows 10, which is more immune than earlier versions to software exploits, and to use the Enhanced Mitigation Experience Toolkit to extend and enhance those protections.

SOURCE

Ed Note: You'd think... after all these years of dealing with IE and now EDGE, Microsoft would get it right. Truthfully speaking, while Edge mimics Chrome in it's editing features, that's about as far as it goes. Security in Edge is, plainly speaking WANTING. Edge has a long way to go in becoming a mainstream Web Browser. As for IE, it's tired and should be retired.


Comments Welcome..
__________________

Regards,

Reply With Quote
 
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 06:45 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Content Copyright © RGN - Reliable Global News