Project Zero, a division at Google that handles security matters, has published in details the vulnerabilities in Windows 10’s security in the Edge and IE 11 browsers. In a nutshell, Google’s Project Zero claims the browsers have a loophole that could allow remote hackers to crash the browsers and even execute some malicious code.
Apparently, Google reported these findings to Microsoft on November 25. From then, Google had given Microsoft 90 days to act upon the vulnerabilities found in its browsers, before the search engine giant decides to make its revelations public.
Google researcher, Ivan Fratric said in an explanation made on his disclosure that he was reluctant to make the matter public, but from the time they let Microsoft know about the bug. No action has been taken to patch up the bug.
Usually, the Project Zero team gives a 90 days window to companies to patch up any problem(s) they discover on their products. That is a form of responsible disclosure on Project Zero’s part; where they allow you to fix the problem before they go public.
Under the comment section of his disclosure, Fratric explains, “I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn’t expect this one to miss the deadline)”
After reviewing the bug, the U.S. National Vulnerability Database has indexed this bug on Edge and IE 11 browsers as CVE-2017-0037. The agency is further warning that the bug “allows remote attackers to execute arbitrary code” and has gone further to categorize the exploit as “high-severity” under the Common Vulnerability Scoring System (CVSS), the standard scoring system for IT vulnerabilities.
In lay man’s language, the loophole unearthed by Google’s Project Zero concerns how the IE 11 and Edge browsers handle instructions in formatting parts of a web page. However, the security experts privy to the case say there is no evidence to show the exploit is being used on a wide scale for purposes of malicious attacks.