Google Goes Public With ‘High Severity’ Bug in Microsoft Edge and Internet Explorer


Google has disclosed a second unpatched vulnerability in Microsoft’s products in less than a month. The company this time went public with a ‘high severity’ bug in Microsoft’s Edge and Internet Explorer. The company previously revealed a bug in Microsoft’s Windows Graphics Device Interface component. The new vulnerability was reported by a Google Project Zero research team member, and if not fixed, it reportedly lets attackers execute malicious code in some instances.

For those unaware, Google’s Project Zero is a cyber-security team that comprise researchers who focus on hunting down widely-affecting zero-day vulnerabilities. The National Vulnerability Database now has an entry for the bug, and it describes it as, “Microsoft Internet Explorer 11 and Microsoft Edge have a type confusion issue which allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.”

The new bug in Microsoft’s Edge and Internet Explorer was discovered by researcher Ivan Fratric from Google Project Zero team, and is tracked by the CVE-2017-0037 identifier in Google’s bug report. Arstechnica points out that researchers in Project Zero follow policy to disclose a vulnerability details 90 days after they report the issue privately to the company. The bug report notes, “This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.”

Arstechnica got an issued statement from a Microsoft spokesman who said, “We believe in coordinated vulnerability disclosure, and we’ve had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk. Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.” Notably, Microsoft cancelled February’s Patch Tuesday security updates citing a last minute issue.

As we mentioned, this is the second major Microsoft vulnerability that Google’s Project Zero has disclosed in less than a month, with the previous a Windows Graphics Device Interface (GDI) flaw that could potentially exposed sensitive data stored in memory.


Like it? Share with your friends!

What's Your Reaction?

hate hate
2
hate
confused confused
0
confused
fail fail
3
fail
fun fun
2
fun
geeky geeky
2
geeky
love love
1
love
lol lol
1
lol
omg omg
0
omg
win win
3
win
Louis Ojibe

I am a blogger

0 Comments

Your email address will not be published. Required fields are marked *

Choose A Format
Personality quiz
Series of questions that intends to reveal something about the personality
Trivia quiz
Series of questions with right and wrong answers that intends to check knowledge
Poll
Voting to make decisions or determine opinions
Story
Formatted Text with Embeds and Visuals
List
The Classic Internet Listicles
Countdown
The Classic Internet Countdowns
Open List
Submit your own item and vote up for the best submission
Ranked List
Upvote or downvote to decide the best list item
Meme
Upload your own images to make custom memes
Video
Youtube, Vimeo or Vine Embeds
Audio
Soundcloud or Mixcloud Embeds
Image
Photo or GIF
Gif
GIF format