Google’s Project Zero published an unpatched and very severe vulnerability in the Microsoft Edge and Internet Explorer version 11 browsers Monday, after a 90-day deadline expired without a fix from Microsoft’s engineers. The publication, which means hackers will be able to write exploits for the affected software, appears to be the latest result of Microsoft’s shocking and still mysterious decision to cancel its monthly software update for February.
According to DHS’s National Vulnerability Database, the bug is a so-called “type confusion flaw” and could allow an attacker to remotely execute arbitrary code when the browser visits a specially crafted malicious website. Remote code execution, or RCE, bugs are among the most severe kind of software vulnerabilities, because they allow hackers to take over a system running the affected software.
The flaw could affect all users running vulnerable software — which includes anyone using the bundled browser in Windows 7, Windows 8.1, and Windows 10.
The vulnerability is classed as “high severity” and coded CVE-2017-0037.
Google’s vulnerability researchers — organized in the company’s Project Zero bug hunting team — have a very strict disclosure deadline. At the end of the 90-day period, the vulnerability will be published — whether or not it’s been fixed.
“Deadlines appear to be working to improve patch times and end user security — especially when enforced consistently,” Google engineers wrote in a 2015 blog post discussing their disclosure practices.
“I really didn’t expect this one to miss the deadline,” wrote Project Zero researcher Ivan Fratric, who disclosed the vulnerability privately to Microsoft on Nov. 25 in a technical report. He wrote a proof-of-concept exploit for the flaw, which is included in the disclosure, but is remaining silent for the time being.
“I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is,” he wrote.
But Microsoft engineers — who have patched security flaws and provided updates for their software on the second Tuesday of the month for almost a decade and a half — suddenly canceled February’s “Patch Tuesday” distribution in a painfully brief blog entry the day it was due.
“This month, we discovered a last minute issue that could impact some customers and was not resolved in time for our planned updates today,” wrote the Microsoft Security Research Center Team Feb. 14.
“After considering all options, we made the decision to delay this month’s updates.” The following day they announced that February patches would be issued on March 14.
But that means that they are missing the 90-day deadline for other vulnerabilities they were alerted to last year, as well. One of those vulnerabilities (CVE-2017-0038), of medium severity, also reported by Project Zero, was privately disclosed to Microsoft on Nov. 16 and published 90 days later.