14 DAY TRIAL // Google has published the details of another unpatched Windows security flaw, as per the company’s Project Zero program policy that discloses vulnerabilities still not fixed 90 days after the vendor is notified.
This time, the vulnerability is a type confusion in a module in Microsoft Edge and Internet Explorer, with Google engineer Ivan Fratric publishing a proof of concept that can crash the browsers, opening the door for potential attackers to gain administrator privileges on the affected systems.
Fratric says he made the analysis on the 64-bit version of Internet Explorer on Windows Server 2012 R2, but both 32-bit Internet Explorer 11 and Microsoft Edge should be affected by the same vulnerability. This means that Windows 7, Windows 8.1, and Windows 10 users are all exposed.
The vulnerability was reported on November 25, and according to Google Project Zero’s policy, it went public on February 25, as Microsoft is yet to deliver a patch.
Interestingly, Microsoft has already delayed this month’s Patch Tuesday cycle and is now planning to release security updates on March 14, but it’s not yet known if the company actually included a patch for this vulnerability discovered by Google in this month’s rollout or not.
Second public disclosure this month
This is the second security flaw disclosed by Google in just a couple of weeks, as the search company also published the details of a vulnerability in gdi32.dll that was first reported to Microsoft in March 2016.
Google Project Zero member Mateusz Jurczyk says Microsoft attempted to patch the flaw in June 2016, but the problem was only partially resolved, so another report was submitted to the firm in November 2016. Again, after the 3-month window expired, Jurczyk published details online.
This brings us to two different security vulnerabilities that are yet to be patched by Microsoft and whose details were posted online by Google, and it’s hard to believe that Redmond would turn to out-of-band fixes to address them before the March 14 rollout.
In the meantime, in order to remain protected against this new flaw, users are recommended to avoid clicking on websites they do not trust and to replace Internet Explorer and Microsoft Edge with a different browser if possible.