It is evident that Microsoft is lazy at fixing critical vulnerabilities in its cyber infrastructure. Take the example from 2015 when researchers exposed an 18-year-old “Redirect to SMB” vulnerability which allowed attackers to steal data from all versions of Windows operating system. Google successfully cracked SHA1 and the discovery of Cloud bleed bug in Cloud flare that caused the leakage of sensitive information across sites hosted behind Cloud flare.
Besides this, Google last week disclosed an unpatched vulnerability in Windows Graphics Device Interface (GDI) library, which affects Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10. While the Windows vulnerability has yet to be patched by the company, Google today released the details of another unpatched Windows security flaw in its browser, as Microsoft did not act within its 90-day disclosure deadline
The vulnerability stems from what’s known as a type-confusion bug in Internet Explorer 11 and Microsoft Edge. Security researchers at Google have revealed an existing vulnerability in Microsoft’s Edge and Internet Explorer browsers which allows attackers to conduct remote code execution and take control of victim’s browsers or simply crash them.The critical vulnerability (CVE-2017-0037) was discovered by Google back in November 2016, giving Microsoft 90-days to fix the issue but it looks like Microsoft did not take the deadline seriously and eventually Google had to go public with their findings.
This time, with the details of this arbitrary code execution bug, the researcher has also published a proof-of-concept exploit that can crash Edge and IE, opening the door for potential hackers to execute code and gain administrator privileges on the affected systems.
Fratric says he successfully ran his PoC code on the 64-bit version of IE on Windows Server 2012 R2, but both 32-bit IE 11, as well as Microsoft Edge, is affected by the same vulnerability.In short, the vulnerability affects all Windows 7, Windows 8.1, and Windows 10 users.
You can know more details about the recently disclosed flaw on Google’s bug report blog, along with proof-of-concept code that causes a crash of the browsers, though sophisticated hackers can build more dangerous exploits as well. At the moment, there are no indications if hackers a exploiting the vulnerability in IE or Edge but the more Microsoft delay the issue the more it will force Google to publically release crucial information about the usage of this vulnerability. This is not the first time when researchers have disclosed exploitable security flaws in Microsoft Edge. Just 4 months ago, during Power of Community security conference, researchers fully compromised Microsoft Edge twice leaving a big question mark on Microsoft’s overall security implementations.
Yes, Microsoft has to patch two other severe security flaws as well, which have already been publicly disclosed with working exploit code but remain still unpatched, giving hackers enough time to target Windows users. First one is a Windows SMB flaw that affects Windows 8, Windows 10 and Windows Server. The PoC exploit code of this flaw was released almost two weeks ago.The other one is the vulnerability disclosed by Google last week that affects Microsoft’s Windows operating systems ranging from Windows Vista Service Pack 2 to the latest Windows 10.
Meanwhile, just to remain on the safer side, Windows users are advised to replace their Internet Explorer and Edge browsers with a different one if possible and avoid clicking on suspicious links and websites they do not trust.
Last updated:
0 Comments