Just a short week ago, Google’s Project Zero revealed a vulnerability in Windows after Microsoft failed to patch it within Google’s 90 day time frame. While not directly related, Microsoft shortly followed up a few days later and announced that the regularly scheduled Windows security patches would instead come on March 14th, though continuing plans with the release of Adobe Flash player updates. Unfortunately, Google has outed Microsoft yet again, and has revealed an IE/Edge browser vulnerability (via thehackernews.)
According to the latest report, Google Project Zero team’s researcher Ivan Fratric is the one who has found this latest vulnerability. The vulnerability, named CVE-2017-0037, is a type confusion flaw in the module in Microsoft Edge and Internet Explorer which could lead to arbitrary code execution. Interestingly enough, Ivan Fratric published the proof-of-concept exploit, noting that he used the 64-bit version of IE on Windows Server 2012 R2, and that both 32-bit IE 11, as well as Microsoft Edge are affected.
If you’re the technical type, you can check out the full details on Google’s official blog here. While the vulnerability was officially reported on November 25th, and recently went public on February 25th, it will be interesting to see how the Redmond giant will react to this latest news.