Security News Google Discloses Another Unpatched Windows Vulnerability, Edge Users at Risk

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Google has published the details of another unpatched Windows security flaw, as per the company’s Project Zero program policy that discloses vulnerabilities still not fixed 90 days after the vendor is notified.

This time, the vulnerability is a type confusion in a module in Microsoft Edge and Internet Explorer, with Google engineer Ivan Fratric publishing a proof of concept that can crash the browsers, opening the door for potential attackers to gain administrator privileges on the affected systems.

Fratric says he made the analysis on the 64-bit version of Internet Explorer on Windows Server 2012 R2, but both 32-bit Internet Explorer 11 and Microsoft Edge should be affected by the same vulnerability. This means that Windows 7, Windows 8.1, and Windows 10 users are all exposed.

The vulnerability was reported on November 25, and according to Google Project Zero’s policy, it went public on February 25, as Microsoft is yet to deliver a patch.

Interestingly, Microsoft has already delayed this month’s Patch Tuesday cycle and is now planning to release security updates on March 14, but it’s not yet known if the company actually included a patch for this vulnerability discovered by Google in this month’s rollout or not.

Second public disclosure this month
This is the second security flaw disclosed by Google in just a couple of weeks, as the search company also published the details of a vulnerability in gdi32.dll that was first reported to Microsoft in March 2016.

Google Project Zero member Mateusz Jurczyk says Microsoft attempted to patch the flaw in June 2016, but the problem was only partially resolved, so another report was submitted to the firm in November 2016. Again, after the 3-month window expired, Jurczyk published details online.

This brings us to two different security vulnerabilities that are yet to be patched by Microsoft and whose details were posted online by Google, and it’s hard to believe that Redmond would turn to out-of-band fixes to address them before the March 14 rollout.

In the meantime, in order to remain protected against this new flaw, users are recommended to avoid clicking on websites they do not trust and to replace Internet Explorer and Microsoft Edge with a different browser if possible.
 

soccer97

Level 11
Verified
May 22, 2014
517
I never thought I would say this, but I hope we get a lot of security patches in March.

Hopefully they have performed additional compatability testing by now for the upcoming release.
 
D

Deleted member 178

Disclosing publicly a vulnerability of a concurrent (aka "go ahead hackers, we just helped you compromise Edge) , then saying:

In the meantime, in order to remain protected against this new flaw, users are recommended to avoid clicking on websites they do not trust and to replace Internet Explorer and Microsoft Edge with a different browser if possible.

Very benevolent...:rolleyes:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top