Google has released details of a bug in Microsoft’s browsing programs that would allow attackers to build websites that make the software crash.
Google researcher Ivan Fratric said the bug could, in some cases, allow attackers to hijack a victim’s browser.
The bug was found in November, but details are only now being released after the expiry of the 90-day deadline Google gave Microsoft to find a fix.
Microsoft has yet to say when it will produce a patch that removes the bug.
In an explanation of how the bug arose, Mr Fratric said he was reluctant to reveal more details until it was patched.
He said he had expected Microsoft to address the bug before the 90-day deadline had expired.
The problem is found in Internet Explorer 11 as well as the Edge browser and arises because of the way both programs handle instructions to format some parts of web pages.
In a statement, Microsoft did not comment directly on the bug and its significance but said it had a “customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible”.
It added it was involved in “an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk”.
So far, there is no evidence that malicious attackers are exploiting the problem unearthed by Mr Fratric.
The publication of information about the browser bug caps a difficult period for Microsoft and the security of its software.
Earlier this month, it cancelled a regularly monthly security update without explaining why.
The update was expected to include fixes for several significant vulnerabilities.
In the same month, other security researchers released information about a way to exploit a vulnerability in some Microsoft server code.
No fix has yet been released for this vulnerability.
Source: Packet Storm – News @ February 28, 2017 at 07:15AM