Google discloses unpatched IE flaw after Patch Tuesday delay

The flaw might lead to arbitrary code execution, researchers say

microsoft stock campus building
Credit: Stephen Brashear/Getty Images for Microsoft

Google's Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google's 90-day disclosure deadline.

This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month's Patch Tuesday and postpone its previously planned security fixes until March.

Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a "last minute issue" that could have had an impact on customers, but the company hasn't clarified the nature of the problem.

Some people have speculated that the problem might be related to the Windows Update infrastructure and not a particular fix, but the company pushed out a Flash Player security update on Tuesday, which suggests that if there was an infrastructure problem, it is now resolved.

The newly disclosed vulnerability is a so-called type confusion flaw that affects Microsoft Edge and Internet Explorer and can potentially allow remote attackers to execute arbitrary code on the underlying system.

"No exploit is available, but a PoC [proof-of-concept] demonstrating a crash is," Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. "This PoC may provide a good starting point for anyone who wants to develop a working exploit. Google [Project Zero] even includes some comments on how to possibly achieve code execution."

The Risk Based Security researchers have confirmed the potentially exploitable crash for IE11 on a fully patched Windows 10 system and have assigned a CVSS severity score of 6.8 to it, treating its impact as potential code execution.

On Feb. 14, after Microsoft announced its decision to postpone the February patches, Google Project Zero disclosed a memory disclosure vulnerability in Windows' GDI library.

Another vulnerability that has yet to be patched was publicly disclosed three weeks ago by an independent researcher. The flaw is located in Microsoft's implementation of the SMB network file-sharing protocol and can be exploited to crash Windows computers if attackers trick them into connecting to rogue SMB servers. The researcher who disclosed the vulnerability claimed Microsoft intended to patch it in February.

So, at the moment there are three zero-day vulnerabilities in Microsoft products that the company might have planned to patch on Feb. 14 but didn't. Some security researchers, including Eiram, believe Microsoft should release the patches it has now instead of waiting.

"Even if no exploits are currently available, Microsoft is gambling with their users' security," Eiram said. "If exploits do suddenly surface, Microsoft would likely have to release out-of-band security updates anyway, forcing customers to scramble to apply these fixes. It makes more sense to handle it in a proactive manner."

Software vendors' commitment to monthly patch cycles is understandable as it serves their customers' need to have some predictability about when security updates will need to be applied. However, Eiram believes that sticking to these cycles should never have a higher priority than getting security fixes out in a timely manner.

"Microsoft has always reserved the right to release out-of-band security updates when necessary, and even with no exploits available it is necessary now," he said. "There are three known, unpatched vulnerabilities and at least one of them has code execution potential."

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Fix Windows 10 problems with these free Microsoft tools
Shop Tech Products at Amazon