Google releases details, PoC exploit code for IE, Edge flaw
As we’re impatiently waiting for Microsoft to patch vulnerabilities that were scheduled to be fixed in February, Google has released details about a serious vulnerability in the Internet Explorer and Edge browsers.
What’s more, the report also contains POC code that, if implemented in web pages, should crash vulnerable browsers. Savvy attackers could perhaps use it as a first step of an attack that could ultimately result in remote code execution.
But Google Project Zero security researcher Ivan Fratric, who reported the flaw, refused to comment more on its exploitability.
“The report has too much info on that as it is (I really didn’t expect this one to miss the deadline),” he noted.
The bug report became automatically visible to the public three days ago, when Google’s customary 90 day disclosure deadline was passed.
The flaw has been assigned the following identifier: CVE-2017-0037. Hopefully Microsoft will plug it in March, along with the other flaws that are awaiting fixes.
Microsoft has postponed the release of the patches scheduled for February 2017 Patch Tuesday because of a last minute issue that could not be resolved in time for the planned updates.
The March 2017 Patch Tuesday is scheduled for March 14. It is still unknown whether Microsoft plans to plug the two other zero-day vulnerabilities for which exploit code has already been published.