The Project Zero from Google has disclosed some potentially serious vulnerability in the Microsoft’s Internet Explorer and Edge web browsers before the company could release the patches.
The details about this flaw and the proof-of-concept (PoC) code are made public last week by the Google Project Zero researcher Ivan Fratric after the Microsoft failed to meet 90-day disclosure deadline.
The security loophole which is tracked as CVE-2017-0037 was described with a high severity type confusion. By exploiting the vulnerability, an attacker can crash the browser and moreover, arbitary code execution is also possible.
This is Microsoft’s second unpatched vulnerability in a their product disclosed by the Google Project Zero this month. Earlier, researcher Mateusz Jurczyk has released various details of a vulnerability with medium severity information and it is a disclosure flaw tracked as CVE-2017-0038.
In addition to these, there is also an unpatched denial-of-service (DoS) flaw in the Windows which is caused by how the SMB traffic is handled inside.
Microsoft has only released the patches for the Adobe Flash Player this month and postponed its February 2017 updates to March 14 of this year due to an unknown “last minute issue.” It is possible that the three vulnerabilities that are affecting Windows and the browsers are supposed to be fixed by these delayed security updates.
The Microsoft on last month has claimed that the security mechanisms in the Windows 10 can block exploitation of a zero-day vulnerability even before the patches are made available for public. As an example the company provided two flaws exploited in sophisticated attacks against organisations in South Korea and the United States before fixes could be released.