Google disclosed a security vulnerability in Microsoft Edge and Internet Explorer yesterday that Microsoft failed to patch up until now.
This is the second vulnerability that Google disclosed this mean. Last week, the company disclosed a Windows vulnerability that affected the gdi32.dll dynamic link library in Windows.
The new vulnerability that Google disclosed yesterday affects the web browsers Microsoft Internet Explorer and Microsoft Edge.
The issue is described as type confusion in HandleColumnBreakOnColumnSpanningElement. Basically, what it allows an attacker to do is create a specifically crafted web page that crashes the web browser and may allow an attacker to execute code on the machine.
The technical details of the vulnerability, as well as proof of concept code, are published on Google's Project Zero website.
Edge and IE vulnerability
The bug was found on November 25th, and has been hidden from the public for a 90 day period.
Google reports vulnerabilities that its Project Zero team finds to the companies responsible for the affected products. It is Google's policy to disclose any vulnerability after 90 days if the notified company did not publish a publicly available patch for the issue.
This is why last week's and this week's vulnerability in Windows and the default Windows browsers were disclosed publicly.
The idea behind the 90 day deadline is to pressure companies in releasing patches for their products. If Google would not disclose the reported vulnerabilities after 90 days, companies might consider not producing patches or updates at all for their products.
The downside to the disclose is that attackers may use the information that Google discloses to create attacks against software or systems affected by it.
Microsoft postponed the February 2017 patch day due to a last minute issue that the company discovered shortly before the Patch day. It is still unclear what that last minute issue was, only that it must have been serious enough to move all security patches of February 2017 to March.
It is unclear whether patches for the vulnerabilities that Google disclosed would have been part of the February 2017 Patch Day. If that would have been the case, the vulnerabilities would have still been disclosed publicly, but the impact of the disclosure would not be critical at all as patches for the issues would have been available already.
Microsoft did release a security update for the built-in versions of Adobe Flash on February 22, but that has been the only security update the company released in February 2017.
Failure to release or produce patches for the security vulnerabilities means unfortunately that Windows users may be attacked using exploits based on the vulnerabilities.