Google Does it Again: Discloses Unpatched Microsoft Edge and IE Vulnerability
This month has yet been kind of interesting for cyber security researchers, with Google successfully cracked SHA1 and the discovery of Cloudbleed bug in Cloudflare that caused the leakage of sensitive information across sites hosted behind Cloudflare.
Besides this, Google last week disclosed an unpatched vulnerability in Windows Graphics Device Interface (GDI) library, which affects Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
While the Windows vulnerability has yet to be patched by the company, Google today released the details of another unpatched Windows security flaw in its browser, as Microsoft did not act within its 90-day disclosure deadline.
The vulnerability (CVE-2017-0037), discovered and disclosed by Google Project Zero team’s researcher Ivan Fratric, is a so-called “type confusion flaw” in a module in Microsoft Edge and Internet Explorer that potentially leads to arbitrary code execution.
Proof-of-Concept Code Released!
This time, with the details of this arbitrary code execution bug, the researcher has also published a proof-of-concept exploit that can crash Edge and IE, opening the door for potential hackers to execute code and gain administrator privileges on the affected systems.
Fratric says he successfully ran his PoC code on the 64-bit version of IE on Windows Server 2012 R2, but both 32-bit IE 11, as well as Microsoft Edge, is affected by the same vulnerability.
In short, the vulnerability affects all Windows 7, Windows 8.1, and Windows 10 users.
You can know more details about the recently disclosed flaw on Google’s bug report blog, along with proof-of-concept code that causes a crash of the browsers, though sophisticated hackers can build more dangerous exploits as well.
This vulnerability was reported to Microsoft on November 25, and it went public on February 25, after Google Project Zero’s 90-day disclosure policy.
Three Unpatched, but Already Disclosed Windows Flaws
While Microsoft has delayed this month’s Patch Tuesday and already has to patch two already disclosed, but unpatched vulnerabilities, it is hard to say if the company actually included a patch for this vulnerability discovered by Google in its next roll out of patches.
Yes, Microsoft has to patch two other severe security flaws as well, which have already been publicly disclosed with working exploit code but remain still unpatched, giving hackers enough time to target Windows users.
First one is a Windows SMB flaw that affects Windows 8, Windows 10 and Windows Server. The PoC exploit code of this flaw was released almost two weeks ago.
The other one is the vulnerability disclosed by Google last week that affects Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
Meanwhile, just to remain on the safer side, Windows users are advised to replace their Internet Explorer and Edge browsers with a different one if possible and avoid clicking on suspicious links and websites they do not trust.