Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Google’s ProjectZero Puzzled by Microsoft, CVE-2017-0037 Still Not Patched

Google’s Project Zero reported to Microsoft a security bug in Edge and Internet Explorer 11 on November 25th, 2016, which still hasn’t been patched. The vulnerability, identified as CVE-2017-0037, would allow remote code execution where attackers could crash browsers and execute arbitrary code.

As mentioned, the bug was reported in November last year, and was revealed to the public several days ago when ProjectZero’s 90-day disclosure deadline expired. No patch has been released by Microsoft.

Related: Old Computers Make Users Drink and Shout, Microsoft Survey Says

More about CVE-2017-0037

According to Google, this vulnerability is a type confusion issue located in HandleColumnBreakOnColumnSpanningElement. The bug could be exploited by a remote attack who could use the bug to execute arbitrary code on a Windows 10 computer by simply employing a page with a malicious CSS token sequence and JavaScript, as explained by MITRE.

Here is the official description:

Microsoft Internet Explorer 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.

In addition, Google has included a report where a proof-of-concept displays how the crashes in both browsers could be caused.

Related: Crucial Android Bugs Being Patched By Google

Google Surprised by Microsoft’s Lack of Reaction

Ivan Fratric, the researcher who found the bug says he “didn’t expect this one to miss the deadline”. The bug passed the 90-day deadline ProjectZero usually gives to vendors to fix address security issues.

On the other hand, Microsoft recently delayed its February 2017 patch which will be released on March 14. However, no explanation has been given for this delay. Flash Player-related issues were fixed in Edge and IE last week but there was no mention of the issue disclosed by Google.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Newsletter
Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.