Google discloses Edge and IE vulnerability
Google disclosed a security vulnerability in Microsoft Edge and Internet Explorer yesterday that Microsoft failed to patch up until now.
This is the second vulnerability that Google disclosed this mean. Last week, the company disclosed a Windows vulnerability that affected the gdi32.dll dynamic link library in Windows.
The new vulnerability that Google disclosed yesterday affects the web browsers Microsoft Internet Explorer and Microsoft Edge.
The issue is described as type confusion in HandleColumnBreakOnColumnSpanningElement. Basically, what it allows an attacker to do is create a specifically crafted web page that crashes the web browser and may allow an attacker to execute code on the machine.
The technical details of the vulnerability, as well as proof of concept code, are published on Google's Project Zero website.
Edge and IE vulnerability
The bug was found on November 25th, and has been hidden from the public for a 90 day period.
Google reports vulnerabilities that its Project Zero team finds to the companies responsible for the affected products. It is Google's policy to disclose any vulnerability after 90 days if the notified company did not publish a publicly available patch for the issue.
This is why last week's and this week's vulnerability in Windows and the default Windows browsers were disclosed publicly.
The idea behind the 90 day deadline is to pressure companies in releasing patches for their products. If Google would not disclose the reported vulnerabilities after 90 days, companies might consider not producing patches or updates at all for their products.
The downside to the disclose is that attackers may use the information that Google discloses to create attacks against software or systems affected by it.
Microsoft postponed the February 2017 patch day due to a last minute issue that the company discovered shortly before the Patch day. It is still unclear what that last minute issue was, only that it must have been serious enough to move all security patches of February 2017 to March.
It is unclear whether patches for the vulnerabilities that Google disclosed would have been part of the February 2017 Patch Day. If that would have been the case, the vulnerabilities would have still been disclosed publicly, but the impact of the disclosure would not be critical at all as patches for the issues would have been available already.
Microsoft did release a security update for the built-in versions of Adobe Flash on February 22, but that has been the only security update the company released in February 2017.
Failure to release or produce patches for the security vulnerabilities means unfortunately that Windows users may be attacked using exploits based on the vulnerabilities.
From Article: “The idea behind the 90 day deadline is to pressure companies in releasing patches for their products. If Google would not disclose the reported vulnerabilities after 90 days, companies might consider not producing patches or updates at all for their products.”
If only this would work to encourage Android OEM’s to issue security patches too … I don’t know why Google let Android OEM’s get away with what they do.
My guess is the upside outweighs the downside in that scenario. Google wants Android on as many phones as possible for obvious reasons. If they pressure OEM’s too much regarding security, many of the OEM’s may balk and either pull out of the market (Many Android OEM’s barely make any money already on smartphones now) or they may do what Samsung threatened to do, and that is create their own OS. Google can only do so much, especially since carriers remain one of the primary impediments for fast updates and patches in the Android market.
I agree with Tim. An overwhelming majority of Android devices in the real world have serious unpatched security flaws.
Google seems to only be willing to apply serious pressure on other companies when it doesn’t hurt their bottom line.
The cynic in me also wonders how much of this is Google not taking kindly to the Edge team promoting the browser as more secure than Firefox or Chrome.
Google is hard on others but soft on themselves. Chrome itself has many unresolved bugs for years, recently the ‘fit to page’ bug was resolved after 2 years. You can guess how the Google intern works