The Fireglass

Blog

Latest IE and EDGE Vulnerability Highlights Advantages of True Isolation™

By Zach Beiser , Mar, 01 2017

Google’s Project Zero team has revealed another security vulnerability exploiting Microsoft’s Edge and IE browsers on various windows versions (Windows 7/8.1/10 and Windows Server 2012/2012 R2). The public disclosure was made after Microsoft failed to fix the flaw within Google’s 90-day notification policy.

About the Vulnerability

 CVE-2017-0037, which has been given a CVSS severity score of 6.8, exploits a vulnerability in Windows’ Graphics Device Interface (GDI) library to crash the browser by simply rendering HTML elements and CSS styles sheets. This vulnerability opens the door to remote code execution that can be used to deliver malware.

 As part of the vulnerability disclosure, Google has put out a simple HTML and CSS code demonstrating the crash:

IE vulnerability sample code.png

 

This is the second security flaw in Microsoft products that have come to light since the company decided to delay its weekly security fixes (a.k.a. Patch Tuesday) until mid-March. While disclosing of security flaws is necessary to allow organizations to take precautions and pushes vendors to prioritize updates – the fact that the details of this vulnerability are now publicly known and a patch hasn’t been released, puts dangerous, far-reaching ammo in the hands of attackers. 

What Can You Do?

One option is to stop using Microsoft IE and Edge until a patch becomes available, and every endpoint has been updated. However, this is not feasible for many organizations.

Another -- and more practical -- option is to leverage browser isolation technology, which handles web sessions remotely away from endpoints. Unlike conventional security approaches, isolation is not reactive, and does not require constant patching to protect against the latest zero-day exploits and vulnerabilities.

 Not All Isolation Platforms are Created Equal

In the last couple of years, several browser isolation platforms have launched in the market claiming to eliminate the risk of malware infection. However, this recent vulnerability highlights important differences between various isolation approaches.

To truly isolate and eliminate threats, an isolation platform should assume that even browser rendering functionality can be vulnerable, and that rendering resources such as the above CSS file can deliver malware if sent for rendering by endpoint browsers. Another Microsoft vulnerability highlighting this important point was found in the way browsers render websites that use custom fonts.

 The Solution: True Isolation™

Fireglass True Isolation™ technology is the only isolation platform that not only executes, but also renders web sessions remotely, thereby eliminating the possibility of threats delivered even via malware-prone resources such as DOM elements, CSS, images, etc.

 To learn about the Fireglass Threat Isolation Platform, download our datasheet.

Share this blog:
Zach Beiser
Zach Beiser

Zach is Fireglass' VP Marketing and Business Development. Zach brings over 15 years of both technology and strategy experience working with fortune 500 companies (e.g. SAP & Microsoft). Prior to Fireglass and as part of Norwest Ventures Partners team, he focused on security companies and led the investment in Fireglass.

Recommended Reading