The latest issue is found inside Microsoft’s Internet Explorer 11 and Microsoft Edge web browsers. Both apps run on the same underlying browser engine. A problem in the way they process website files that define how to style pages could allow an attacker to run their own code and gain control of the system.
Google found the bug in November and privately contacted Microsoft. As per its usual Project Zero disclosure procedures, the company gave Microsoft 90 days to fix the issue and release a patch. That time is now up though, leaving Windows 10 machines in the wild at risk of being targeted. The researcher who found the issue admitted he’s surprised Microsoft missed the deadline, saying he “really didn’t expect” the bug to still be exploitable.
This is now the third Windows issue which Google has publicly detailed only for Microsoft to delay fixing. Serious vulnerabilities in Windows’ GDI library and SMB file-sharing protocol were meant to be fixed earlier this month. However, Microsoft cancelled its regular Patch Tuesday updates in an unprecedented turn of events, leaving users at risk. The SMB flaw is being actively exploited.
The patches now won’t be delivered until March 14. The company hasn’t said whether it will deliver a fix for the Internet Explorer and Edge update in the March release. It previously blamed a “last minute issue” as the cause of February’s Patch Tuesday delays. Microsoft hasn’t publicly explained why it later postponed the release entirely.
Microsoft’s backlog of bugs comes shortly after it started a public debate on Google’s disclosure policies. In November, Google detailed a critical Windows issue just seven days after informing Microsoft of the details. The company insisted that the flaw’s severity warranted “more urgent action.”
Microsoft was left far from impressed though, describing Google’s procedure as a “disappointing” move that could put users at increased risk of attack. Security experts weighed in on the highly public discussion. There’s still no unanimous consensus on what constitutes a “responsible” disclosure.
Google is now giving Microsoft some leeway though, holding back on releasing more details of the IE/Edge flaw until the company finally releases a fix. Researcher Ivan Fratric said he “will not make any further comments on exploitability” until a Windows update is available for affected customers. That won’t be for at least two weeks, leaving users exposed to specially crafted sites that exploit the flaw. There’s currently no indication it’s being used in the wild.
