Google Project Zero notifies Microsoft as another bug found but not patched

News by Roi Perez

Is the Google team of security researchers once again teetering on the edge of responsible and irresponsible disclosure?

Google's Project Zero has revealed a bug in Microsoft's Internet Explorer and Edge browsers, whereby if a user were to visit a malicious websites, it could crash the browser, and then execute code.

First found on November 25 last year, the bug works by attacking a type confusion in HandleColumnBreak OnColumnSpanningElement.

The group of Google researchers showed a 17-line proof-of-concept which crashes that process, with a focus on two variables rcx and rax.

β€œAn attacker can affect rax by modifying table properties such as border-spacing and the width of the first th element,” Project Zero's post states – so the crafted Web page just needs to point rax to memory they control.

The Google project operates a strict rule where it notifies companies of bugs in their software, and sets a 90 day deadline for them to issue a fix, or it goes public and reveals it to the world. This bug had gone past the 90 day limit.

Earlier this month, Google's Project Zero revealed a bug in Windows' Graphics Component GDI Library before Microsoft had fixed it. The bug in question, reported by Googler Mateusz Jurczyk, allows an attacker to access memory using EMF metafiles.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop