Unpatched Type Confusion Flaw Impacts Microsoft Browsers

Monday, September 25, 2017

Ionut Arghire

Fa42af438e58b799189dd26386f5870f

A type confusion bug in Microsoft Edge and Internet Explorer remains unpatched as Microsoft doesn’t consider it a security vulnerability, Cybellum reveals.

The issue was reported to Microsoft on August 21, 2017. The researchers say that while Microsoft has confirmed the vulnerability, it decided against releasing a patch for it, because of the special conditions required to reproduce it. Specifically, it requires developer tools to be opened.

Affecting the latest versions of x86 Edge and x86/x64 Internet Explorer, the vulnerability occurs in the layout rendering engine (EdgeHTML & MSHTML), and the security researchers claim that, with some additional work, it would be possible to reproduce the crash without the developer tools.

“The type confusion occurs in the function window.requestAnimationFrame, which expects to receive a single function pointer parameter. The vulnerability occurs because the function doesn’t properly validate the parameter, and may be called with a value that is not a function pointer (an integer value),” the researchers say.

Being treated as a pointer, the supplied integer goes through a series of dereferences and a compare function and, if all the requisites are satisfied, the function performs one more dereference and returns that value to the caller. The function pointer is checked against CFG protection and, if the test succeeds, the function pointer is called, thus providing the attacker with full control over EIP, Cybellum says.

The researchers argue that the only prerequisite required for the vulnerability to be triggered is to make the function AreAnyListenersFastCheck@CDebugCallbackNotificationHandlers return “true”, mainly because the actual vulnerability happens in the function BeforeInvokeCallbackDebugHelper@CAnimationFrameManager.

According to them, the easiest way to trigger the vulnerability is to open the developer tools, but that exploitation doesn’t have the same requirement. Moreover, the researchers claim that the bug was discovered with developer tools turned off, and that viewing the page source can also trigger it.

To exploit the bug, an attacker would need to successfully control a series of dereferences, successfully bypass\satisfy the CFG protection check, gain full control over EIP, and continue with standard exploitation until code execution has been achieved.

“Practical exploitation of this vulnerability isn’t trivial, and might require combining it with another vulnerability (e.g. an info leak). That said, this is a great starting point for a multi-browser (Edge\\IE) remote code execution exploit,” the researchers say.

The security researchers note that they reported the bug to Microsoft on August 21, but that the tech giant informed them on August 30 that, “because of the hard requirement to open developer tools in order to manifest the issue, this submission doesn’t meet the bar for servicing via security update, and will not be assigned a CVE.”

However, the company suggested that typical user behavior won’t involve opening the developer console while browsing. “While we understand that users can be tricked into opening this, we don’t believe that this will be a common scenario for a typical user,” Microsoft reportedly said.

Nonetheless, the tech company agrees that opening the Developer Console alters the application and puts it in a less secure state and that the issue needs to be addressed. Moreover, Microsoft also told Cybellum that a future version of Internet Explorer will resolve the issue.

RelatedUnpatched Vulnerabilities Impact Popular Browser Extension Systems

RelatedGoogle Discloses Unpatched Flaw in Edge, Internet Explorer

28071
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.