Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com)

Posted by EditorDavid on Sunday February 26, 2017 @09:37AM from the browser-bugs dept.

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...
Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.

35 of 73 comments (clear)

Min score:

Reason:

Sort:

Unnecessary by Anonymous Coward · 2017-02-26 09:54 · Score: 1

Okay, I get the general principle of disclosure - users are at least aware of the issue and can take steps to protect themselves, plus it puts pressure on the supplier to fix the problem thus again benefiting users - but in this case that doesn't make any sense because surely Edge doesn't actually have any users? Are there really people who don't know there are other browsers?
1. Re: Unnecessary by Grishnakh · 2017-02-26 15:26 · Score: 1
  
  The discussion in this thread is about users protecting themselves. Work computers are irrelevant: if your work computer is taken over by hackers, so what? If you were putting your personal info on there, that's your own dumb fault. It's not your computer, it's your employer's. The only thing that should happen when your employer's computer gets hacked is your employer suffers data loss and other problems, not you. You only need to notify the IT department that your computer isn't working right and let them fix it for you.
What am I missing? by TheRealMindChild · 2017-02-26 09:56 · Score: 5, Interesting

Note: The analysis below is based on an 64-bit IE (running in single process mode) running on Windows Server 2012 R2. Microsoft Symbol Server has been down for several days and that's the only configuration for which I had up-to-date symbols. However Microsoft Edge and 32-bit IE 11should behave similarly.

Ok, there is no information as to why this would affect any version other than the 64-bit IE that the guy tested. Especially since Edge *supposedly* uses a separate codebase, and this is an exploit in the MSHTML engine anyway

--

"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
1. Re:What am I missing? by Anonymous Coward · 2017-02-26 12:28 · Score: 1
  
  Edge wasn't a clean rewrite. It's a fork from the IE codebase.
This might be payback... by supremebob · 2017-02-26 09:56 · Score: 5, Interesting

For all of those "Chrome is draining your battery faster than Edge would" notification messages in the Windows notification center when you use Chrome with Windows 10.
That tactic just seems slimy to me. It seems that Microsoft is once again trying to exploit their near monopoly of desktop PC OS's to regain browser market share.
1. Re:This might be payback... by Anonymous Coward · 2017-02-26 10:32 · Score: 1
  
  This is as it should be. Competition, and competitors pointing out the flaws in each others products. That creates more pressure to fix fast - and to test before sw products go out the door which may avoid such embarrasments entirely.
  I have no symphathy with anyone wanting/expecting 'grace time' before public disclosure. (Apparently, they got some.) Compare with the open source world, where every exploit is immediately public because the bug tracker is public. You fix a serious error within hours of reporting, and deploy the fixed version immediately thereafter. I see no reason to expect less from commercial sw - on the contrary, I expect better. They have a budget, after all. They can throw money on bugfixing.
2. Re:This might be payback... by Anonymous Coward · 2017-02-26 10:32 · Score: 1, Informative
  
  Have you ever done a Google search or used YouTube when not using Chrome. Constant blue bar pop-up up telling you it all works better with Chrome, always comes back even if you press no, time and time again - that is slimy.
3. Re:This might be payback... by raind · 2017-02-26 10:59 · Score: 2
  
  I do - doesn't happen on this machine...
  
  --
  Get up!
4. Re:This might be payback... by Harlequin80 · 2017-02-26 11:06 · Score: 4, Interesting
  
  If I buy a fridge and the fridge keeps saying "Cottee's codial tastes better than x brand you're using" I would have an issue with that.
  I hate that Windows 10 is an advertising vector.
5. Re:This might be payback... by Anonymous Coward · 2017-02-26 11:08 · Score: 1
  
  This is as it should be. Competition, and competitors pointing out the flaws in each others products. That creates more pressure to fix fast
  
  No, It's creating an annoying and distractive load of bollocks on my notification bar.
6. Re: This might be payback... by ArchieBunker · 2017-02-26 11:32 · Score: 1
  
  The majority of internet users actually.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
7. Re:This might be payback... by Anonymous Coward · 2017-02-26 11:43 · Score: 1
  
  I'm not seeing this with Lynx.
8. Re:This might be payback... by GerbilKor · 2017-02-26 15:07 · Score: 1
  
  I use Chrome on Windows 10 90% of the time and I can't recall ever getting a notification like that. Perhaps there's an option somewhere to disable it?
9. Re: This might be payback... by Anonymous Coward · 2017-02-26 22:15 · Score: 1
  
  Never get that with Firefox
10. Re:This might be payback... by HiThere · 2017-02-27 06:47 · Score: 1
  
  I'm sorry, but the primary injured party are the users. The manufacturer is at most a secondary victim. So the delay to fix is appropriate. But 90 days is about right. If you hold off forever an unscrupulous manufacturer would just let the problem persist, and once it becomes known to the criminals, it WILL be abused. 90 days may be too long, because they might have found the problem even before Google did, but you need to allow the manufacturer *some* time to fix the problem, because they aren't the primary injured party.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
11. Re:This might be payback... by Harlequin80 · 2017-02-27 14:35 · Score: 1
  
  Ah if only it was that simple.
  My work machine is linux mint and is great. My main home pc is dual boot and spends most of its time in mint as well. But there is no substitute for the media editing tools of windows in Linux. Openshot is ok but doesn't hold a candle to CyberDirector. Gimp is not a substitute for photoshop. So in the end I still keep a windows install around.
12. Re:This might be payback... by Ocker3 · 2017-03-01 14:25 · Score: 1
  
  Exactly, I don't care much if they're sniping at each other in the press, it's when they start throwing up notifications when I'm otherwise busy is when I started getting angry.
but but but .. by khz6955 · 2017-02-26 10:04 · Score: 3, Funny

Microsoft Edge running under windows is the most secure browser on the planet, Microsoft says so.
1. Re:but but but .. by Billly+Gates · 2017-02-26 11:53 · Score: 2, Insightful
  
  Microsoft Edge running under windows is the most secure browser on the planet, Microsoft says so.
  As much as it is fashionable to bash MS at this anti MS website I will ask if you think Chrome is any better? It is kind of unfair as of course Google won't disclose it's own bugs.
  The problem is anything that executes programs (javascript and flash count even if they are not compiled) from anywhere on an untrusted world wide platform is stupid beyond belief!
  Perhaps we can replace javascript once logic can be performed through CSS. Of course at that point I would imagine CSS would then become an attack vector.
  I will bash MS on this though, SMB is a security issue (old SMB like in server 2003/XP especially) and I wonder why a browser would use this? Sharepoint integration perhaps from an era of IE 7 when MS was thinking a browser is an operating system? This should be seperated
  
  --
  http://saveie6.com/
2. Re:but but but .. by khz6955 · 2017-02-26 12:15 · Score: 1
  
  "As much as it is fashionable to bash MS at this anti MS website"
  
  For a long time, this place has been know as the Microsoft slashdot. Do you have anything to say regarding Microsoft's claims regarding the better security in Edge as compared to other browsers?
  
  "Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology .. Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time." ref
  
  "I will ask if you think Chrome is any better? It is kind of unfair as of course Google won't disclose it's own bugs.
  
  Chromium issue tracker - Monorail
3. Re:but but but .. by Billly+Gates · 2017-02-26 12:26 · Score: 1
  
  IE 11/Edge may not be safer. I just feel Chrome kind of has an unfair advantage and I dislike the whole concept we have with the way the web works security wise. If you want a pro MS version of this head to www.neowin.net? Trust me, you will be shocked if you feel this site is pro MS haha.
  I go to both sites as I want to hear both sides of stories. There are some on neowin.net who do run Linux in the forums, but it is very anti android and pro MS phone and want exciting new .NET technology or Surface will be coming next kind of stories.
  
  --
  http://saveie6.com/
4. Re:but but but .. by mwvdlee · 2017-02-26 19:02 · Score: 1
  
  What is unfair?
  Who is stopping Microsoft from starting a similar project to find bugs in Chrome?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
5. Re:but but but .. by HiThere · 2017-02-27 06:56 · Score: 1
  
  You say "Google won't disclose it's own bugs". I'm not sure I believe that, but I do believe they won't publicize them. But the real question is "Do they fix them?". Of course, that would mean they would need to inspire upgrades...which probably means they would need to disclose the bugs, if not how to abuse them.
  OTOH, the was reported a way to evade almost all bugs in recent MicroSoft products ... disable administrator mode. This sounds like it might come with considerable in the way of downsides, but it was reported to evade almost all MS* bugs.
  * MS: It's not just a disease anymore.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
Re:I applaud Google by Anonymous Coward · 2017-02-26 10:39 · Score: 1

I applaud Google for helping to keep users safe. If you currently use IE or Edge, you should be using something else.
Single process mode? by Anonymous Coward · 2017-02-26 10:45 · Score: 1

By default IE spawns multiple processes for tab isolation (like Chrome)
Re:Google are a bunch of cunts by 93+Escort+Wagon · 2017-02-26 10:54 · Score: 2

Internally "Project Zero" has a second definition - it's the number of Chrome vulnerabilities team members are allowed to investigate.

--
#DeleteChrome
Interesting Headline by bulled · 2017-02-26 11:20 · Score: 5, Insightful

Why not:

Microsoft fails to patch yet another vulnerability for 90 days?

Right, because isn't so much news as status quo.
It's easy to "fix" bugs by Anonymous Coward · 2017-02-26 11:29 · Score: 1

When you never test the patches thoroughly......
I've lost track of the amount of times that Chrome updated itself and the new "security enhancements" have broken something irreparably.
There is a reason enterprises use IE, as crappy as it is. MS does do a decent job regression testing.
These Arent Bugs.. These are features by Anonymous Coward · 2017-02-26 11:45 · Score: 1

They are put in the code for use by the NSA...
Kafka said it by goombah99 · 2017-02-26 13:06 · Score: 1

You become what you hate. It's an astonishingly true aphorism for many reasons. And google is on the path to becoming the new uber asshole.

--
Some drink at the fountain of knowledge. Others just gargle.
Re:Google are a bunch of cunts by 93+Escort+Wagon · 2017-02-26 13:19 · Score: 1

On the contrary, the Project Zero team reports bugs to us (I am a Chromium developer), and we fix them. For example, https://googleprojectzero.blog... .
So let's take that example. That appears to be the following bug, correct?
https://bugs.chromium.org/p/ch...
So that bug was reported in January 2014. The patched version of Chromium, M38, was released in October 2014 - much longer than 90 days. Now as far as I can tell, the bug was not made visible to the outside world until October 2014 - am I reading that right? And, if I am, why wasn't it publicly outed sometime in April - the 90-day window Google seems to hold Windows and Mac bugs to?

--
#DeleteChrome
Re:Google are a bunch of cunts by Anonymous Coward · 2017-02-26 14:09 · Score: 1

You don't think they are going public with unpatched Chrome vulnerabilities, no?
Of course people do. They give google the exact same 90 days to respond and release a fix and then go public.
The detail you refuse to listen to is that google actually fixes their flaws within 90 days where microsoft refuses to in most cases, and simply fails to do so even when they say they will eventually get around to it in a few years.
Disclosure is a tool to get the problem fixed. by robbak · 2017-02-26 19:01 · Score: 4, Insightful

Actually following through with the threat to disclose in 90 days (which is far too long in my opinion) is the only way to get corporations to take vulnerability reports seriously.

Microsoft made a choice - to push their big marketing and style changes to all their users by bundling them with necessary security updates. This bad decision means that they can't push out small security-only, no-reboot-required updates on an as-needed basis. It is this profit-driven motive that makes a short disclosure period hard for them. The right way for the world deal with this is keep up the pressure, so they switch back to pushing out small security-only updates as needed when needed; to rebuild their customer's trust that Microsoft's updates won't break people's systems, won't suddenly uninstall legacy software, that sysadmins don't have to put updates through verification because they'll probably break something. This way, vulnerabilities in windows are fixed within days of them being reported.

There is zero excuse for not fixing a vulnerability for 90 days. If something makes it hard for a corporation to fix vulnerabilities quickly, then it is that something that needs to change. Responsible disclosure like this pushes corporations to make such changes.

--
Prediction for end of Universe #42: Fencepost error in Quantum_bogosort.cpp
Re:Google are a bunch of cunts by mwvdlee · 2017-02-26 19:07 · Score: 1

Am I missing something? Wasn't the bug report public on January 2014? Do they have an option in their issue tracker to keep bug reports private?

--
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Re:Google are a bunch of cunts by HiThere · 2017-02-27 06:58 · Score: 1

One hopes that's what's going on, but I don't use Chrome, so I don't follow it closely enough to know. Do *you*? Or are you just being optimistic?
OTOH, Google definitely has a better reputation for fixing bugs than MS does.

--

I think we've pushed this "anyone can grow up to be president" thing too far.