Google discloses unpatched IE vulnerability after Patch Tuesday delay

The flaw might lead to arbitrary code execution, researchers say

Google's Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google's 90-day disclosure deadline.

This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month's Patch Tuesday and postpone its previously planned security fixes until March.

Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a "last minute issue" that could have had an impact on customers, but the company hasn't clarified the nature of the problem.

Some people have speculated that the problem might be related to the Windows Update infrastructure and not a particular fix, but the company pushed out a Flash Player security update on Tuesday, which suggests that if there was an infrastructure problem, it is now resolved.

The newly disclosed vulnerability is a so-called type confusion flaw that affects Microsoft Edge and Internet Explorer and can potentially allow remote attackers to execute arbitrary code on the underlying system.

"No exploit is available, but a PoC [proof-of-concept] demonstrating a crash is," Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. "This PoC may provide a good starting point for anyone who wants to develop a working exploit. Google [Project Zero] even includes some comments on how to possibly achieve code execution."

The Risk Based Security researchers have confirmed the potentially exploitable crash for IE11 on a fully patched Windows 10 system and have assigned a CVSS severity score of 6.8 to it, treating its impact as potential code execution.

On Feb. 14, after Microsoft announced its decision to postpone the February patches, Google Project Zero disclosed a memory disclosure vulnerability in Windows' GDI library.

Another vulnerability that has yet to be patched was publicly disclosed three weeks ago by an independent researcher. The flaw is located in Microsoft's implementation of the SMB network file-sharing protocol and can be exploited to crash Windows computers if attackers trick them into connecting to rogue SMB servers. The researcher who disclosed the vulnerability claimed Microsoft intended to patch it in February.

So, at the moment there are three zero-day vulnerabilities in Microsoft products that the company might have planned to patch on Feb. 14 but didn't. Some security researchers, including Eiram, believe Microsoft should release the patches it has now instead of waiting.

"Even if no exploits are currently available, Microsoft is gambling with their users' security," Eiram said. "If exploits do suddenly surface, Microsoft would likely have to release out-of-band security updates anyway, forcing customers to scramble to apply these fixes. It makes more sense to handle it in a proactive manner."

Software vendors' commitment to monthly patch cycles is understandable as it serves their customers' need to have some predictability about when security updates will need to be applied. However, Eiram believes that sticking to these cycles should never have a higher priority than getting security fixes out in a timely manner.

"Microsoft has always reserved the right to release out-of-band security updates when necessary, and even with no exploits available it is necessary now," he said. "There are three known, unpatched vulnerabilities and at least one of them has code execution potential."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?