Google Is on a Roll! Discloses Another Unpatched Flaw Following Microsoft’s Patch Tuesday Delay
Google seems to be on a mission to annoy Microsoft. The Redmond software maker had to delay February's Patch Tuesday releases due to an unspecified issue and since then security vulnerabilities are being disclosed left and right. Well, not exactly true, but you get the point.
Google's Project Zero team has disclosed yet another vulnerability after Microsoft failed to patch it in 90-day disclosure deadline. The potential arbitrary code execution vulnerability is in Microsoft’s Edge and Internet Explorer web browsers.
Microsoft has to fix three known, unpatched vulnerabilities
This is the second flaw that Google's Project Zero has disclosed since Microsoft announced to skip February's planned security fixes, postponing them until March. Microsoft didn't specify its unprecedented decision to push back important security updates by a month. But, since then this is the second time in two weeks that Google has disclosed a potentially serious vulnerability in Microsoft’s Edge and Internet Explorer browsers.
Google Project Zero researcher Ivan Fratric made the details of the flaw and proof-of-concept (PoC) code public last week following Microsoft's missing the 90-day disclosure deadline. Tracked as CVE-2017-0037, the vulnerability is a high severity type confusion that can be exploited to cause the web browsers to crash. The security flaw could also potentially allow remote attackers to execute arbitrary code.
Before this, on February 14, Mateusz Jurczyk of Google Project Zero had released the details of a medium severity information disclosure flaw in Windows GDI library.
Apart from these two, an independent security researcher had disclosed a serious flaw in Microsoft's implementation of the SMB network file-sharing protocol.
The company is now sitting on three disclosed, unpatched vulnerabilities that it failed to patch despite three-month warnings. While it was earlier believed that the company couldn't send the security fixes due to an issue in Windows Update infrastructure, Microsoft did release a Flash Player-focused security update last Tuesday, confirming that even if there was an infrastructure issue, it is now fixed.
While Microsoft could release out-of-band security updates to fix these unpatched issues, it isn't likely that we would be seeing any other releases until March 14 - the next Patch Tuesday.