Google’s Project Zero security division published details of a Windows 10 Edge and Internet Explorer 11 vulnerability that allows remote hackers to crash both browsers and execute malicious code.
The issue was reported privately by Google to Microsoft on November 25. Google publicly disclosed the bug on Monday after Microsoft failed to patch the bug within 90 days of being notified.
Google researcher Ivan Fratric explained in his disclosure that he’s been reluctant to reveal more details until the bug has been patched. Google’s Project Zero team commonly uses a 90-day window as a form of responsible disclosure, giving companies enough time to fix the problem before the flaw is made public.
“I will not make any further comments on exploitability, at least not until the bug is fixed,” said Fratric in the comments section of his disclosure. “The report has too much info on that as it is (I really didn’t expect this one to miss the deadline).”
The National Vulnerability Database has indexed the bug as CVE-2017-0037 and warns that it “allows remote attackers to execute arbitrary code” and categorizes the the exploit as “high-severity” using the Common Vulnerability Scoring System (CVSS), a standard scoring system for IT vulnerabilities.
The flaw concerns the way Internet Explorer 11 and Microsoft Edge handle instructions to format parts of web pages. So far, there is no evidence that the exploit is being used on a large scale by malicious attackers.
This isn’t the first time Google researcher has shamed Microsoft by disclosing an unpatched bug. As Ars Technica reports, Google researcher Mateusz Jurczyk published details last week of a flaw in Windows that exposes sensitive data stored in computer memory.
The two disclosures come after Microsoft delayed its February 2017 patch until March 14 without any explanation. We’ve reached out to Microsoft for comment on both of these vulnerabilities and will update as soon as we hear back.
For now, no fix has been released for either of the patches disclosed by Google. It’s also unclear if Microsoft will have a patch ready for either vulnerability by March 14, when its next major security patch ships. If you’re using a Windows computer right now, proceed with a high level of caution.
Update 11:46 ET: A Microsoft spokesperson sent the following statement to Gizmodo in response to the disclosure.
“We believe in coordinated vulnerability disclosure, and we’ve had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk. Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”