Google Goes Public with Unpatched Microsoft Edge and IE Vulnerability

Share this…

Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they’ve published details about a bug in the Windows GDI (Graphics Device Interface) component.

At the time of writing, the bug remains unpatched after Microsoft canceled February’s Patch Tuesday security updates, citing a “last minute issue.”

Type confusion issue affects Edge and IE

The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google’s bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker’s skill level, more dangerous exploits could be built.

Fratric found the bug at the end of November and disclosed it today after the 90-day deadline Google provides to affected companies had expired.

The February Patch Tuesday cancellation and its consequences

It is unknown if Microsoft had intended to patch the bug with this month’s regular security updates.

Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions.

The good news is that these are just unpatched flaws and not zero-days, as no incidents have been reported as of yet where attackers used any of these three issues.

Microsoft said last week it intended to ship the February Patch Tuesday updates during March’s Patch Tuesday, scheduled for March 15.

In the meantime, Microsoft shipped some security updates this week, when it updated the Adobe Flash Player version included with Windows 10.