Google’s Project Zero, a special group inside Mountain View that looks for security bugs and works alongside affected companies, has published details of a serious vulnerability that affects Windows 10, Microsoft Internet Explorer and Edge 11. This flaw allows hackers to send remotely crash either Edge or Internet Explorer, forcing execution of malicious code and gaining admin privileges.
Google Microsoft warned of the danger now more than 90 days ago, on November 25, but there’s no patch by Microsoft yet. Google has decided to discredit Microsoft, warning Windows users of the potential risks. Ivan Fratric, a Google researcher who discovered the flaw, explained that he’s not used to revealing details until there’s a security update – which is why the team has been waiting for 90 days, giving Microsoft plenty of time to intervene. But this has not happened, so this warning became necessary.
The CVE-2017-0037 bug was classified as “very severe” by the National Vulnerability Database, which warns:
[The leak] allows hackers to execute arbitrary code remotely.
This flaw exploits the way that Internet Explorer 11 and Microsoft Edge commands are run with the interactive parts of websites. There is no evidence that the exploit is used on a large scale, but the danger exists. A Microsoft spokesperson responded to Gizmodo referring the disclosure:
We believe in coordinated vulnerability disclosure, and we’ve had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk. Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
Meanwhile, we wait for the patch.