Last week, we reported about two zero-day flaws in Windows that Microsoft failed to patch in a delayed Patch Tuesday release.
One patch was supposed to fix a Windows SMB file-sharing flaw that can crash systems with denial-of-service attacks. Another flaw is a Windows graphic bug that Google’s Project Zero team warned Microsoft about months ago.
The fixes for these flaws are now expected to arrive on March 14.
While these critical bugs are still left unpatched, Google’s Project Zero team revealed yet another high-severity bug on Monday that affects Microsoft’s Edge and Internet Explorer browsers.
Ivan Fratric, a Google Project Zero researcher, disclosed the bug to Microsoft back in November, giving the company the industry-standard 90 days to fix the flaw. Now that this “responsible disclosure” timeframe has elapsed, Fratric has revealed the flaw publicly.
In a Project Zero report, this “high-severity” vulnerability (CVE-2017-0037) in Microsoft’s Edge and Internet Explorer browsers can lead to crashes, arbitrary code execution and browser hijacking due to a type confusion issue.
This flaw can essentially allow attackers to build maliciously crafted websites to trick Microsoft’s web browsers into recognizing one object for something else, thus triggering the confusion exploit.
Currently, Fratric will not reveal further details about the flaw until a fix is in place. Fortunately, there is no evidence that the vulnerability is being exploited in the wild.
“I will not make any further comments on exploitability, at least not until the bug is fixed,” Frantic wrote on the Project Zero post. “The report has too much info on that as it is.”
For its part, Microsoft wrote this in a statement after the Project Zero post went live:
“We believe in coordinated vulnerability disclosure, and we’ve had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk. Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
What you can do
For now, be extra careful when using Microsoft Edge or Internet Explorer 11 when browsing the web. To totally avoid this bug, you may want to use Google’s own Chrome browser or Mozilla Firefox.
Keep in mind that there are still two unpatched flaws that Microsoft needs to fix. We are hoping that all these vulnerabilities will be resolved as soon as possible or at the very least, in next month’s round of Patch Tuesday updates.
To read Google Project Zero’s technical report about this bug, click here.