Google goes public with browser flaw before Microsoft patch ready

Google goes public with browser flaw before Microsoft patch ready

The real cost of hacking on UK businesses? £42bn!

Security researchers have discovered a flaw in Microsoft’s web browser that could allow cyber criminals to take over the software under certain circumstances.

Google Project Zero’s Ivan Fratric reported the flaw in Edge and Internet Explorer to Microsoft last November, but went public with it this week after the tech firm failed to fix it within 90 days.

The vulnerability centres around the way the browsers handle certain formatting and page elements. It means that hackers could potentially build malicious websites that cause their victims’ browsers to crash and in some cases grant attackers control of the software.

According to the BBC, Fratric will not describe the flaw in more detail until Microsoft has patched it, and there is no evidence that attackers are exploiting it in the wild.

Microsoft did not directly comment on the vulnerability, but said it was committed to investigating security issues and said it was having "an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk".

This is not the first time Google researchers have gone public with a flaw in a Microsoft product before the technology giant has released a patch to protect its users.

In November last year, Microsoft criticised Google for publishing details of a Windows zero-day flaw that it had not had time to fix. In that case, Google had given it a week’s notice.

"We believe in coordinated vulnerability disclosure, and [this] disclosure by Google puts customers at potential risk," a Microsoft spokesperson said at the time.

In his explanation of the newly-discovered Edge and Internet Explorer vulnerability, Fratric said he “really didn’t expect this one to miss the deadline”.

According to W3Counter figures from January, Microsoft’s web browsers - Internet Explorer and Edge - are used by around eight per cent of web users.


Photo: copyright golubovy, under licence from Thinkstockphotos.co.uk

Copyright Lyonsdown Limited 2021

Top Articles

Usability and email security

When employees understand how their behaviour impacts email security, they become much more efficient at detecting scams, preventing data breaches, and protecting sensitive information.

The pen testing guide you never thought you needed, until now…

Security testing should be at the centre of any cyber strategy,

Institute of Cyber Digital Investigation Professionals launched

CIISec & College of Policing are announcing the independent launch of the Institute of Cyber Digital Investigation Professionals (ICDIP)

Related Articles