Google Details Unpatched Internet Explorer and Microsoft Edge Vulnerability

[Megalith]

The Patch Tuesday delay is probably biting Microsoft in the arse yet again. This time, Google has revealed browser bugs that affect both 32-bit and 64-bit versions of IE and Edge: an attacker may execute malicious code. The good news is that none of you actually use these browsers, right…

Google has now gone public with a security vulnerability in both Microsoft Edge and Internet Explorer. Going under the description of "Type confusion in HandleColumnBreakOnColumnSpanningElement", the bug has the potential to allow an attacker to execute malicious code. The vulnerability has been assigned the code CVE-2017-0037, and details of the flaw have been published under the terms of Google's Project Zero. Microsoft was notified about the problem 90 days ago, and as the company failed to patch it Google has made the problem public.

 

[JohnnyGatt]

I'm not a fan of this action at all. I find it cringeworthy. And I use Edge all the time it's faster than chrome and i have less problems. The memory leak in chrome will cause a random restart if you leave most social network pages open and I get this on test PC's too with fresh installs of windows.. If i just use edge I have no problems.

 

[HeavensCloud]

I'm not a fan of this action at all. I find it cringeworthy. And I use Edge all the time it's faster than chrome and i have less problems. The memory leak in chrome will cause a random restart if you leave most social network pages open and I get this on test PC's too with fresh installs of windows.. If i just use edge I have no problems.

So you would rather let Msoft leave known vulnerabilities in their browsers. K.

 

[DeathFromBelow]

I'm not a fan of this action at all. I find it cringeworthy.

I don't. They deserve it.

Is there anybody listening to feedback at Microsoft? Whether it's users complaining about the broken Windows UI or even someone like Google pointing out security issues... they always act like it's not their problem.

 

[endalykt]

Google and Microsoft going at it. What a show!

 

[JohnnyGatt]

So you would rather let Msoft leave known vulnerabilities in their browsers. K.

No but making the exploit public is not an attack on Microsoft it's an attack on the users the grandmothers who get fooled by the click bait exploits in the next 2 weeks or till the pc they use auto updates with the patch.Who will cover the cost of fixing the PC's that get hacked using this exploit? Microsoft? Google? No it's the end user. In my eyes by handing out the exploit Google are just as responsible as the scum that uses it.

 

[0neTwo]

A browser has a vulnerability? Thats crazy. Chrome has never had this issue, they are just on version 56 because its a pretty number.

 

[serious]

My computer says Edge is faster and secure, and computers don't lie!

 

[Mong00se]

No but making the exploit public is not an attack on Microsoft it's an attack on the users the grandmothers who get fooled by the click bait exploits in the next 2 weeks or till the pc they use auto updates with the patch.Who will cover the cost of fixing the PC's that get hacked using this exploit? Microsoft? Google? No it's the end user. In my eyes by handing out the exploit Google are just as responsible as the scum that uses it.

Microsoft is the real scumbag here, as they have had 3 months to fix this problem and havent. Surly as the largest software company in the world they have the resources to fix holes in their software. Holes they didn't even have to spend their own money and manpower finding because someone did it for them.

 

[chithanh]

Making vulnerabilities public is often the only way to get software vendors to act.

Also I don't think that it should be assumed that cybercriminals don't know about this vulnerability yet. After all, Google Project Zero is just a small team, using standard practices (fuzzing etc.) that are available to the vast number of cybercriminals too.

 

[Megaslug]

I agree with notifying the public of the vulnerability - I disagree with them releasing sample code to exploit the vulnerability. That is like waving a flag and saying to all the script kiddies, here you go, have at it! There is absolutely no reason for Google to be publishing code like that, it does not help get the problem solved.

 

[zomby]

google should just own MS IE browser since they are smarter at coding it. I personally prefer Firefox over Chrome, at work the standard browser is IE.
also I rather use google than safari on my phone, but since I cant delete safari, why would I have chrome which would take up that much more disk space. If only disk space wasn't a problem!? ugh.

 

[kllrnohj]

I agree with notifying the public of the vulnerability - I disagree with them releasing sample code to exploit the vulnerability. That is like waving a flag and saying to all the script kiddies, here you go, have at it! There is absolutely no reason for Google to be publishing code like that, it does not help get the problem solved.

The code Google posted only results in a crash, not an exploit. It's not a complete example. You're still safe from script kiddies.

At least, until someone else converts the explanation into an actual exploit, assuming someone hadn't already done that. You've been vulnerable for 90 days already and MSFT clearly doesn't care, so... use Edge at your own risk.