Google's Project Zero security research team has found a vulnerability that could lead to remote code execution in Microsoft's Edge and Internet Explorer browsers. This is the fourth Microsoft bug that Google has disclosed in recent months. Microsoft has yet to properly patch three of the security flaws.
This new bug (CVE-2017-0037) is a high severity type confusion vulnerability, which tricks a web application into misinterpreting an object. An attacker can use this flaw to crash the browsers, which can result in remote code execution. This bug affects users on Windows 7, Windows 8.1 and Windows 10.
Ivan Fratric is the researcher who discovered the bug. He was surprised Microsoft has yet to patch it given that the company was notified three months ago.
In November last year, Google only waited seven days after notifying Microsoft to publicly disclose a critical vulnerability in the Windows kernel. The decision was met with criticism but Google defended this move, claiming the bug was already actively being exploited.
Earlier this month, Google disclosed two more bugs: one concerned the Windows Server Message Block (SMB) server that could result in a denial-of-service attack. The other one was tied to Windows' GDI library that could lead to data theft from program memory. Microsoft had issued a patch for this but the Mateusz Jurczyk, the Google researcher who found the bug, said the patch was incomplete.
Microsoft was meant to patch the SMB server flaw but that has been delayed until the next Patch Tuesday in March.
For the latter vulnerabilities, Google gave Microsoft a 90-day heads-up before disclosing them publicly.