Google's Project Zero has revealed a bug in Microsoft's Internet Explorer and Edge browsers, whereby if a user were to visit a malicious websites, it could crash the browser, and then execute code.
First found on November 25 last year, the bug works by attacking a type confusion in HandleColumnBreak OnColumnSpanningElement.
The group of Google researchers showed a 17-line proof-of-concept which crashes that process, with a focus on two variables rcx and rax.
“An attacker can affect rax by modifying table properties such as border-spacing and the width of the first th element,” Project Zero's post states – so the crafted Web page just needs to point rax to memory they control.
The Google project operates a strict rule where it notifies companies of bugs in their software, and sets a 90 day deadline for them to issue a fix, or it goes public and reveals it to the world. This bug had gone past the 90 day limit.Earlier this month, Google's Project Zero revealed a bug in Windows' Graphics Component GDI Library before Microsoft had fixed it. The bug in question, reported by Googler Mateusz Jurczyk, allows an attacker to access memory using EMF metafiles.