It is evident that Google does not like Microsoft, but it is also a fact that Microsoft is lazy at fixing critical vulnerabilities in its cyber infrastructure. Take the example from 2015 when researchers exposed an 18-year-old “Redirect to SMB” vulnerability which allowed attackers to steal data from all versions of Windows operating system.
Now, security researchers at Google have revealed an existing vulnerability in Microsoft’s Edge and Internet Explorer browsers which allows attackers to conduct remote code execution and take control of victim’s browsers or simply crash them.
The critical vulnerability (CVE-2017-0037) was discovered by Google back in November 2016, giving Microsoft 90-days to fix the issue but it looks like Microsoft did not take the deadline seriously and eventually Google had to go public with their findings.
The researcher who originally found the vulnerability is Ivan Fratric, a Google engineer who is still reluctant to disclose additional details about the vulnerability as it may harm Window users on a large scale. Here, it must be noted that the vulnerability affects users on Windows 7, Windows 8.1 and Windows 10.
In a blog post, Fratric wrote that “I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn’t expect this one to miss the deadline).”
In a reply to Fratric according to BBC, Mircosoft commented that “it has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
Furthermore, Mircosoft stated that “an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk.”
At the moment, there are no indications if hackers a exploiting the vulnerability in IE or Edge but the more Microsoft delay the issue the more it will force Google to publically release crucial information about the usage of this vulnerability.
This is not the first time when researchers have disclosed exploitable security flaws in Microsoft Edge. Just 4 months ago, during Power of Community security conference, researchers fully compromised Microsoft Edge twice leaving a big question mark on Microsoft’s overall security implementations.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.