Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com)

Posted by EditorDavid on from the browser-bugs dept.

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...
Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.

73 comments

  1. Unnecessary by Anonymous Coward · · Score: 1

    Okay, I get the general principle of disclosure - users are at least aware of the issue and can take steps to protect themselves, plus it puts pressure on the supplier to fix the problem thus again benefiting users - but in this case that doesn't make any sense because surely Edge doesn't actually have any users? Are there really people who don't know there are other browsers?

    1. Re:Unnecessary by Anonymous Coward · · Score: 0

      Are there really people who don't know that there are people who don't know there are other browsers ?
      fart

    2. Re: Unnecessary by Anonymous Coward · · Score: 0

      Many users don't have a choice. It's the default for Windows 10 on their work computers.

    3. Re: Unnecessary by Grishnakh · · Score: 1

      The discussion in this thread is about users protecting themselves. Work computers are irrelevant: if your work computer is taken over by hackers, so what? If you were putting your personal info on there, that's your own dumb fault. It's not your computer, it's your employer's. The only thing that should happen when your employer's computer gets hacked is your employer suffers data loss and other problems, not you. You only need to notify the IT department that your computer isn't working right and let them fix it for you.

  2. What am I missing? by TheRealMindChild · · Score: 5, Interesting

    Note: The analysis below is based on an 64-bit IE (running in single process mode) running on Windows Server 2012 R2. Microsoft Symbol Server has been down for several days and that's the only configuration for which I had up-to-date symbols. However Microsoft Edge and 32-bit IE 11should behave similarly.

    Ok, there is no information as to why this would affect any version other than the 64-bit IE that the guy tested. Especially since Edge *supposedly* uses a separate codebase, and this is an exploit in the MSHTML engine anyway

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    1. Re:What am I missing? by Anonymous Coward · · Score: 1

      Edge wasn't a clean rewrite. It's a fork from the IE codebase.

  3. This might be payback... by supremebob · · Score: 5, Interesting

    For all of those "Chrome is draining your battery faster than Edge would" notification messages in the Windows notification center when you use Chrome with Windows 10.

    That tactic just seems slimy to me. It seems that Microsoft is once again trying to exploit their near monopoly of desktop PC OS's to regain browser market share.

    1. Re:This might be payback... by Anonymous Coward · · Score: 1

      This is as it should be. Competition, and competitors pointing out the flaws in each others products. That creates more pressure to fix fast - and to test before sw products go out the door which may avoid such embarrasments entirely.

      I have no symphathy with anyone wanting/expecting 'grace time' before public disclosure. (Apparently, they got some.) Compare with the open source world, where every exploit is immediately public because the bug tracker is public. You fix a serious error within hours of reporting, and deploy the fixed version immediately thereafter. I see no reason to expect less from commercial sw - on the contrary, I expect better. They have a budget, after all. They can throw money on bugfixing.

    2. Re:This might be payback... by Anonymous Coward · · Score: 1, Informative

      Have you ever done a Google search or used YouTube when not using Chrome. Constant blue bar pop-up up telling you it all works better with Chrome, always comes back even if you press no, time and time again - that is slimy.

    3. Re:This might be payback... by Anonymous Coward · · Score: 0

      Who the hell uses Chrome anyway?

    4. Re:This might be payback... by raind · · Score: 2

      I do - doesn't happen on this machine...

      --
      Get up!
    5. Re:This might be payback... by Harlequin80 · · Score: 4, Interesting

      If I buy a fridge and the fridge keeps saying "Cottee's codial tastes better than x brand you're using" I would have an issue with that.

      I hate that Windows 10 is an advertising vector.

    6. Re:This might be payback... by Anonymous Coward · · Score: 1

      This is as it should be. Competition, and competitors pointing out the flaws in each others products. That creates more pressure to fix fast

      No, It's creating an annoying and distractive load of bollocks on my notification bar.

    7. Re: This might be payback... by ArchieBunker · · Score: 1

      The majority of internet users actually.

      --
      Only the State obtains its revenue by coercion. - Murray Rothbard
    8. Re:This might be payback... by Anonymous Coward · · Score: 1

      I'm not seeing this with Lynx.

    9. Re:This might be payback... by Anonymous Coward · · Score: 0

      People with 64 gigs of RAM, I think.

    10. Re:This might be payback... by Anonymous Coward · · Score: 0

      Great payback strategy. "Let's fuck with the USERS of Microsoft products. Let's expose the USERS to risks. That will teach Microsoft." --signed, the Project Zero Fucks

    11. Re: This might be payback... by Anonymous Coward · · Score: 0

      That is simultaneously both correct and unbelievably sad.

    12. Re:This might be payback... by Anonymous Coward · · Score: 0

      This is just browser wars gone to the next level. If Safari had IE/Edge's desktop marketshare they would be Google's target.

      Google has replaced DNS with an idiot box, crushed other browsers given their search dominance and will not stop until they have complete control. They dictate content, structure and presentation of all websites and are the root cause of many security issues, we can thank Google for SEO spam and all of the malware used to achieve it.

      It is time we started saying no.

    13. Re:This might be payback... by GerbilKor · · Score: 1

      I use Chrome on Windows 10 90% of the time and I can't recall ever getting a notification like that. Perhaps there's an option somewhere to disable it?

    14. Re: This might be payback... by Anonymous Coward · · Score: 0

      You get that message if you navigate to google.com with a browser other than Chrome. Why would they display the message if one IS using Chrome?

    15. Re:This might be payback... by Anonymous Coward · · Score: 0

      So don't use it, then. I don't use windows either, albeit for other reasons.

    16. Re:This might be payback... by Anonymous Coward · · Score: 0

      http://picpaste.com/Chrome_alert.png

    17. Re:This might be payback... by Anonymous Coward · · Score: 0

      and Microsoft added a popup that comes up everytime that you launch other browsers than Edge (telling you that edge saves battery and is safer)

    18. Re: This might be payback... by Anonymous Coward · · Score: 1

      Never get that with Firefox

    19. Re:This might be payback... by HiThere · · Score: 1

      I'm sorry, but the primary injured party are the users. The manufacturer is at most a secondary victim. So the delay to fix is appropriate. But 90 days is about right. If you hold off forever an unscrupulous manufacturer would just let the problem persist, and once it becomes known to the criminals, it WILL be abused. 90 days may be too long, because they might have found the problem even before Google did, but you need to allow the manufacturer *some* time to fix the problem, because they aren't the primary injured party.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    20. Re:This might be payback... by Harlequin80 · · Score: 1

      Ah if only it was that simple.

      My work machine is linux mint and is great. My main home pc is dual boot and spends most of its time in mint as well. But there is no substitute for the media editing tools of windows in Linux. Openshot is ok but doesn't hold a candle to CyberDirector. Gimp is not a substitute for photoshop. So in the end I still keep a windows install around.

    21. Re:This might be payback... by Ocker3 · · Score: 1

      Exactly, I don't care much if they're sniping at each other in the press, it's when they start throwing up notifications when I'm otherwise busy is when I started getting angry.

  4. Terrorist Bastages by Anonymous Coward · · Score: 0

    These fargin ice holes, at Google, are terrorizing everybody. Lst week it was CloudFlare, this week it's Microsoft, again.

    Bastages.

  5. but but but .. by khz6955 · · Score: 3, Funny

    Microsoft Edge running under windows is the most secure browser on the planet, Microsoft says so.

    1. Re:but but but .. by Billly+Gates · · Score: 2, Insightful

      Microsoft Edge running under windows is the most secure browser on the planet, Microsoft says so.

      As much as it is fashionable to bash MS at this anti MS website I will ask if you think Chrome is any better? It is kind of unfair as of course Google won't disclose it's own bugs.

      The problem is anything that executes programs (javascript and flash count even if they are not compiled) from anywhere on an untrusted world wide platform is stupid beyond belief!

      Perhaps we can replace javascript once logic can be performed through CSS. Of course at that point I would imagine CSS would then become an attack vector.

      I will bash MS on this though, SMB is a security issue (old SMB like in server 2003/XP especially) and I wonder why a browser would use this? Sharepoint integration perhaps from an era of IE 7 when MS was thinking a browser is an operating system? This should be seperated

      --
      http://saveie6.com/
    2. Re:but but but .. by khz6955 · · Score: 1

      "As much as it is fashionable to bash MS at this anti MS website"

      For a long time, this place has been know as the Microsoft slashdot. Do you have anything to say regarding Microsoft's claims regarding the better security in Edge as compared to other browsers?

      "Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology .. Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time." ref

      "I will ask if you think Chrome is any better? It is kind of unfair as of course Google won't disclose it's own bugs.

      Chromium issue tracker - Monorail

    3. Re:but but but .. by Billly+Gates · · Score: 1

      IE 11/Edge may not be safer. I just feel Chrome kind of has an unfair advantage and I dislike the whole concept we have with the way the web works security wise. If you want a pro MS version of this head to www.neowin.net? Trust me, you will be shocked if you feel this site is pro MS haha.

      I go to both sites as I want to hear both sides of stories. There are some on neowin.net who do run Linux in the forums, but it is very anti android and pro MS phone and want exciting new .NET technology or Surface will be coming next kind of stories.

      --
      http://saveie6.com/
    4. Re:but but but .. by mwvdlee · · Score: 1

      What is unfair?
      Who is stopping Microsoft from starting a similar project to find bugs in Chrome?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    5. Re:but but but .. by Anonymous Coward · · Score: 0

      They would have to know what a bug looks like.

    6. Re:but but but .. by HiThere · · Score: 1

      You say "Google won't disclose it's own bugs". I'm not sure I believe that, but I do believe they won't publicize them. But the real question is "Do they fix them?". Of course, that would mean they would need to inspire upgrades...which probably means they would need to disclose the bugs, if not how to abuse them.

      OTOH, the was reported a way to evade almost all bugs in recent MicroSoft products ... disable administrator mode. This sounds like it might come with considerable in the way of downsides, but it was reported to evade almost all MS* bugs.

      * MS: It's not just a disease anymore.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    7. Re:but but but .. by beastofburdon · · Score: 0

      * MS: It's not just a disease anymore.

      So, both disease and syndrome now?
      Oh I know, it is a disease and crime against humanity!

  6. can we make this a tradition? by Anonymous Coward · · Score: 0

    lets say, once a week?

  7. Google discloses by Anonymous Coward · · Score: 0

    That Judge Wapner is DEAD.

  8. Re:I applaud Google by Anonymous Coward · · Score: 1

    I applaud Google for helping to keep users safe. If you currently use IE or Edge, you should be using something else.

  9. Google are a bunch of cunts by Anonymous Coward · · Score: 0

    You don't think they are going public with unpatched Chrome vulnerabilities, no?

    1. Re:Google are a bunch of cunts by 93+Escort+Wagon · · Score: 2

      Internally "Project Zero" has a second definition - it's the number of Chrome vulnerabilities team members are allowed to investigate.

      --
      #DeleteChrome
    2. Re:Google are a bunch of cunts by Anonymous Coward · · Score: 0

      On the contrary, the Project Zero team reports bugs to us (I am a Chromium developer), and we fix them. For example, https://googleprojectzero.blogspot.com/2014/10/did-man-with-no-name-feel-insecure.html .

    3. Re:Google are a bunch of cunts by 93+Escort+Wagon · · Score: 1

      On the contrary, the Project Zero team reports bugs to us (I am a Chromium developer), and we fix them. For example, https://googleprojectzero.blog... .

      So let's take that example. That appears to be the following bug, correct?

      https://bugs.chromium.org/p/ch...

      So that bug was reported in January 2014. The patched version of Chromium, M38, was released in October 2014 - much longer than 90 days. Now as far as I can tell, the bug was not made visible to the outside world until October 2014 - am I reading that right? And, if I am, why wasn't it publicly outed sometime in April - the 90-day window Google seems to hold Windows and Mac bugs to?

      --
      #DeleteChrome
    4. Re:Google are a bunch of cunts by Anonymous Coward · · Score: 1

      You don't think they are going public with unpatched Chrome vulnerabilities, no?

      Of course people do. They give google the exact same 90 days to respond and release a fix and then go public.

      The detail you refuse to listen to is that google actually fixes their flaws within 90 days where microsoft refuses to in most cases, and simply fails to do so even when they say they will eventually get around to it in a few years.

    5. Re:Google are a bunch of cunts by Anonymous Coward · · Score: 0

      The initial post on the Project Zero blog (dated July 15, 2014) served as the public introduction of the project and its goals, but no specific statements were made therein with regard to public vulnerability disclosure timeline policies. Looking at the current situation, the key factors would seem to be (1) the date upon which Project Zero decided upon a maximum disclosure window of 90 days, and (2) whether or not they elected to retroactively apply the 90 day policy to any vulnerabilities known at that time. -PCP

    6. Re:Google are a bunch of cunts by mwvdlee · · Score: 1

      Am I missing something? Wasn't the bug report public on January 2014? Do they have an option in their issue tracker to keep bug reports private?

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    7. Re:Google are a bunch of cunts by Anonymous Coward · · Score: 0

      Yes, it seems that bugs filed under 'security' are hidden from public view until they are fixed. It was unmasked in July 2014, about 6 months after it was filed. If you read the bug tracker closely it was made public after the commit to fix the bug.

    8. Re:Google are a bunch of cunts by HiThere · · Score: 1

      One hopes that's what's going on, but I don't use Chrome, so I don't follow it closely enough to know. Do *you*? Or are you just being optimistic?

      OTOH, Google definitely has a better reputation for fixing bugs than MS does.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  10. Single process mode? by Anonymous Coward · · Score: 1

    By default IE spawns multiple processes for tab isolation (like Chrome)

  11. Interesting Headline by bulled · · Score: 5, Insightful

    Why not:

    Microsoft fails to patch yet another vulnerability for 90 days?

    Right, because isn't so much news as status quo.

  12. It's easy to "fix" bugs by Anonymous Coward · · Score: 1

    When you never test the patches thoroughly......

    I've lost track of the amount of times that Chrome updated itself and the new "security enhancements" have broken something irreparably.

    There is a reason enterprises use IE, as crappy as it is. MS does do a decent job regression testing.

    1. Re: It's easy to "fix" bugs by Anonymous Coward · · Score: 0

      Dunno if I agree. I've used Firefox and Chrome in an internal network for ten years now. In that time the amount of modding to sure needed to support new versions? One. One line of one outdated JavaScript library used by one site.

      Compare that to IE that has required major changes to sites for every single version change. Yet the corporate IT guys just buy their heads in the sand and keep using it. It's like watching a train wreck over and over.

  13. Re:I applaud Google by Anonymous Coward · · Score: 0

    Google -- the company that monetises peoples' private information to feed its greed -- IS KEEPING USERS SAFE!! ROFLOL.

    Ya fucking shills never cease to entertain.

  14. These Arent Bugs.. These are features by Anonymous Coward · · Score: 1

    They are put in the code for use by the NSA...

    1. Re:These Arent Bugs.. These are features by Anonymous Coward · · Score: 0

      Mod poster up please.

  15. Re:I applaud Google by Anonymous Coward · · Score: 0

    Google -- the company that monetises peoples' private information to feed its greed -- IS KEEPING USERS SAFE!! ROFLOL.

    Ya fucking shills never cease to entertain.

    Says somebody who hasn't read the Windows 10 EULA.

  16. Kafka said it by goombah99 · · Score: 1

    You become what you hate. It's an astonishingly true aphorism for many reasons. And google is on the path to becoming the new uber asshole.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Kafka said it by Anonymous Coward · · Score: 0

      Uber = asshole.

      Can't disagree with that.

    2. Re:Kafka said it by Anonymous Coward · · Score: 0

      Um, what??

  17. Re: I applaud Google by Anonymous Coward · · Score: 0

    If you type data in their OS, that data belongs to them. What's do confusing about that?

  18. Re:I applaud Google by Anonymous Coward · · Score: 0

    Au contraire, I'm not defending MS' bullshit policies either. BOTH SUCK. In this particular case, however, Google sucks much more. They're actually punishing and endangering innocent non-technical users of MS products. Fucking cunts is what they are, Project Zero ass wipes.

  19. Re:I applaud Google by Anonymous Coward · · Score: 0

    Google's entire enterprise is built on capturing, storing, and selling user information. Google is a marketing and advertising firm who has used cutting age technology to make sure they can capture and process the maximum amount user data and user activity. They don't need fine print in a EULA because their purpose is clearly defined and out in the open so they can attract the wealthiest investors on the planet to keep the money flowing into their bank account.

    And Google has a habit of introducing new technologies only to drop them as soon as they get a good look at the ROI. They placate the technology groupies by keeping most of their technologies released as "beta versions" making it easier to suddenly drop their support for their newest shiny that didn't actually pan out in the production world.

  20. Google isn't helping anything by Anonymous Coward · · Score: 0

    Don't think Google is doing much but being a shit here releasing this information. Yes, its been 90 days but some flaws need time to test and verify. Given that Microsoft had issues with February security updates, what Google did is kind of kicking Microsoft at a bad time here.
    But this problem also exposes how much IE and Edge are not that different from each other, given that these issues are affecting both of them. Just goes to show that Microsoft reincarnated IE and not really created a new browser.

  21. Disclosure is a tool to get the problem fixed. by robbak · · Score: 4, Insightful

    Actually following through with the threat to disclose in 90 days (which is far too long in my opinion) is the only way to get corporations to take vulnerability reports seriously.

    Microsoft made a choice - to push their big marketing and style changes to all their users by bundling them with necessary security updates. This bad decision means that they can't push out small security-only, no-reboot-required updates on an as-needed basis. It is this profit-driven motive that makes a short disclosure period hard for them. The right way for the world deal with this is keep up the pressure, so they switch back to pushing out small security-only updates as needed when needed; to rebuild their customer's trust that Microsoft's updates won't break people's systems, won't suddenly uninstall legacy software, that sysadmins don't have to put updates through verification because they'll probably break something. This way, vulnerabilities in windows are fixed within days of them being reported.

    There is zero excuse for not fixing a vulnerability for 90 days. If something makes it hard for a corporation to fix vulnerabilities quickly, then it is that something that needs to change. Responsible disclosure like this pushes corporations to make such changes.

    --
    Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
  22. Re:I applaud Google by Anonymous Coward · · Score: 0

    Google has two options:

    Lie, so that users don't know about vulnerabilities and continue to do their thing in blissful, insecure ignorance...until their system gets pwned.

    Tell the truth, so that users can take action to protect themselves from the gaping holes in Microsoft's software.

  23. 90 days by Anonymous Coward · · Score: 0

    Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.

    If a mechanic waited for 90 days to tell car owners about a faulty suspension, to give the car manufacturer time to fix the problem, he would rightfully be sued.

  24. Re: I applaud Google by Anonymous Coward · · Score: 0

    And if you submit data to a Google site or Google affiliated site, that data belongs to Google. What's so confusing about that?

    Microsoft is far more evil because they are tapping directly into people's PCs and stealing their personal data. Data that Google doesn't even have access to. With Google, everything they collect is voluntarily given to them. With Microsoft, they strongarm the data from users.

  25. Re:I applaud Google by Anonymous Coward · · Score: 0

    You're absolutely right. Let me subscribe my grandmother to a couple of security mailing lists and explain to her how to handle everything when good samaritans like project zero publish flaws for her benefit. /sarcasm

  26. Google I fix ur ads that infect/track/slow us by Anonymous Coward · · Score: 0

    Prevention = best medicine (& what u can't touch can't hurt u) via NEW APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

    Ads & malware rob speed/security/privacy

    Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

    Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

    Avoids DNSChangers in routers/IP settings & dns redirects (99.999% of ISP DNS != patched vs. it) + lightens DNS load & resolves faster from local system RAM!

    * Via what u NATIVELY have built into the IP stack in FASTER kernelmode!

    APK

    P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/