Google's Project Zero reveals another Microsoft flaw

Edge, IE can find themselves running unexpected code if cooked by a malicious site

By Richard Chirgwin

Posted in Security, 27th February 2017 00:26 GMT

Google's Project Zero has revealed a bug in Microsoft's Internet Explorer and Edge browsers.

First turned up on November 25, the bug offers evildoers a technique that would let a malicious web site crash a visitor's browser as the main course, with code execution as the dessert.

Detailed here, the bug works by attacking a type confusion in HandleColumnBreak
OnColumnSpanningElement
.

A 17-line proof-of-concept crashes that process, with a focus on two variables rcx and rax.

“An attacker can affect rax by modifying table properties such as border-spacing and the width of the first th element,” Project Zero's post states – so the crafted Web page just needs to point rax to memory they control.

The issue was published at the end of Project Zero's 90-day disclosure deadline, and it remains unpatched.

Earlier this month, Redmond delayed February's Patch Tuesday, but last week it managed to emit a bunch of fixes for Adobe Flash. ®

Sign up to our NewsletterGet IT in your inbox daily

25 Comments

More from The Register

Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Bug already plugged, get updating

Intel Management Engine pwned by buffer overflow

Security researchers lift lid on snafu at Black Hat Europe

'Adversarial DNA' breeds buffer overflow bugs in PCs

Boffins had to break gene-reading software but were able to remotely exploit a computer

Flappy Friday for Stack Overflow as outage woes run on

Updated Well, guess it's nearly the weekend

Devs see red after not seeing Big Red on Stack Overflow database poll

Updated Oracle missed off yearly survey, staffer claims 'malicious bias'

Stack Overflow + Salary Calculator = your worth

In case you were wondering what Git, SQL and JS skills will get you, new online tool measures your value

Everyone loves programming in Python! You disagree? But it's the fastest growing, says Stack Overflow

It's a grower not a, er, yeah...

Buffer overflow reported in UEFI EDK1

Firmware patching scramble begins

Microsoft catches up to Valentine's Day Flash flaw massacre

Critical update deals with five ways to do remote code execution on Windows

BoundHook: Microsoft downplays Windows systems exploit technique

It's just not a security vulnerability, says Redmond