Google’s Project Zero team has revealed another security vulnerability exploiting Microsoft’s Edge and IE browsers on various windows versions (Windows 7/8.1/10 and Windows Server 2012/2012 R2). The public disclosure was made after Microsoft failed to fix the flaw within Google’s 90-day notification policy.
About the Vulnerability
CVE-2017-0037, which has been given a CVSS severity score of 6.8, exploits a vulnerability in Windows’ Graphics Device Interface (GDI) library to crash the browser by simply rendering HTML elements and CSS styles sheets. This vulnerability opens the door to remote code execution that can be used to deliver malware.
As part of the vulnerability disclosure, Google has put out a simple HTML and CSS code demonstrating the crash:
This is the second security flaw in Microsoft products that have come to light since the company decided to delay its weekly security fixes (a.k.a. Patch Tuesday) until mid-March. While disclosing of security flaws is necessary to allow organizations to take precautions and pushes vendors to prioritize updates – the fact that the details of this vulnerability are now publicly known and a patch hasn’t been released, puts dangerous, far-reaching ammo in the hands of attackers.
What Can You Do?
One option is to stop using Microsoft IE and Edge until a patch becomes available, and every endpoint has been updated. However, this is not feasible for many organizations.
Another -- and more practical -- option is to leverage browser isolation technology, which handles web sessions remotely away from endpoints. Unlike conventional security approaches, isolation is not reactive, and does not require constant patching to protect against the latest zero-day exploits and vulnerabilities.
Not All Isolation Platforms are Created Equal
In the last couple of years, several browser isolation platforms have launched in the market claiming to eliminate the risk of malware infection. However, this recent vulnerability highlights important differences between various isolation approaches.
To truly isolate and eliminate threats, an isolation platform should assume that even browser rendering functionality can be vulnerable, and that rendering resources such as the above CSS file can deliver malware if sent for rendering by endpoint browsers. Another Microsoft vulnerability highlighting this important point was found in the way browsers render websites that use custom fonts.
The Solution: True Isolation™
Fireglass True Isolation™ technology is the only isolation platform that not only executes, but also renders web sessions remotely, thereby eliminating the possibility of threats delivered even via malware-prone resources such as DOM elements, CSS, images, etc.
To learn about the Fireglass Threat Isolation Platform, download our datasheet.