Home > Cyber News > Google’s ProjectZero Puzzled by Microsoft, CVE-2017-0037 Still Not Patched

Google’s ProjectZero Puzzled by Microsoft, CVE-2017-0037 Still Not Patched

Google’s Project Zero reported to Microsoft a security bug in Edge and Internet Explorer 11 on November 25th, 2016, which still hasn’t been patched. The vulnerability, identified as CVE-2017-0037, would allow remote code execution where attackers could crash browsers and execute arbitrary code.

As mentioned, the bug was reported in November last year, and was revealed to the public several days ago when ProjectZero’s 90-day disclosure deadline expired. No patch has been released by Microsoft.

Related: Old Computers Make Users Drink and Shout, Microsoft Survey Says

More about CVE-2017-0037

According to Google, this vulnerability is a type confusion issue located in HandleColumnBreakOnColumnSpanningElement. The bug could be exploited by a remote attack who could use the bug to execute arbitrary code on a Windows 10 computer by simply employing a page with a malicious CSS token sequence and JavaScript, as explained by MITRE.

Here is the official description:

Microsoft Internet Explorer 11 and Microsoft Edge have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll, which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.

In addition, Google has included a report where a proof-of-concept displays how the crashes in both browsers could be caused.

Related: Crucial Android Bugs Being Patched By Google

Google Surprised by Microsoft’s Lack of Reaction

Ivan Fratric, the researcher who found the bug says he “didn’t expect this one to miss the deadline”. The bug passed the 90-day deadline ProjectZero usually gives to vendors to fix address security issues.

On the other hand, Microsoft recently delayed its February 2017 patch which will be released on March 14. However, no explanation has been given for this delay. Flash Player-related issues were fixed in Edge and IE last week but there was no mention of the issue disclosed by Google.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *