Google’s Project Zero team has revealed another security vulnerability exploiting Microsoft’s Edge and IE browsers on various windows versions (Windows 7/8.1/10 and Windows Server 2012/2012 R2). The public disclosure was made after Microsoft failed to fix the flaw within Google’s 90-day notification policy.
About the Vulnerability
CVE-2017-0037, which has been given a CVSS severity score of 6.8, exploits a vulnerability in Windows’Graphics Device Interface (GDI) library to crash the browser by simply rendering HTML elements and CSS styles sheets. This vulnerability opens the door to remote code execution that can be used to deliver malware.
As part of the vulnerability disclosure, Google has put out a simple HTML and CSS code demonstrating the crash:
This is the second security flaw in Microsoft products that have come to light since the company decided to delay its weekly security fixes (a.k.a. Patch Tuesday) until mid-March. While disclosing of security flaws is necessary to allow organizations to take precautions and pushes vendors to prioritize updates – the fact that the details of this vulnerability are now publicly known and a patch hasn’t been released, puts dangerous, far-reaching ammo in the hands of attackers.
What Can You Do?
One option is to stop using Microsoft IE and Edge until a patch becomes available, and every endpoint has been updated. However, this is not feasible for many organizations.
Another -- and more practical -- option is to leverage browser web isolation technology, which handles web sessions remotely away from endpoints. Unlike conventional security approaches, isolation is not detection-based, and does not require patching and updating to protect against the latest zero-day exploits and vulnerabilities.
Not All Isolation Platforms are Created Equal
In the last couple of years, several web isolation platforms have launched in the market claiming to eliminate the risk of malware infection. Most isolation platforms require sending rendering resources, some of which as-is, to the endpoint browser for web page rendering. This recent vulnerability exemplifies that even rendering resources can be malicious and highlight why only Symantec Web Isolation truly protect form any web vulnerability even in those delivered in HTML and CSS files.
To truly isolate and eliminate threats, an isolation platform should have the ability to not only execute but also render page pages remotely. Such an approach assumes that even browser rendering functionality can be vulnerable, and that rendering resources such as the above CSS file can deliver malware if sent for rendering by endpoint browsers. Another Microsoft vulnerability highlighting this important point was found in the way browsers render websites that use custom fonts.
For information on Symantec Web Isolation, we invite you to download our data sheet.