Google's Project Zero research team has actively been detecting vulnerabilities in Microsoft's software products for quite some time. Back in November 2016, it revealed a "particularly serious" security flaw in Windows 10 just ten days after detailing it to Microsoft - for which it received lots of backlash. Just a few days ago, it disclosed yet another vulnerability in Windows, however, this time after its standard 90-day deadline had passed.
Now, the company has revealed yet another weakness in Microsoft's software products, and this time, the flaw pertains to Edge and Internet Explorer, which means that it does not only impact Windows 10 but other iterations of the operating system as well.
According to The Register, a security flaw in Microsoft Edge and Internet Explorer was first reported to the company on November 25, 2016. Microsoft was offered the standard 90-day window by Google to patch the issue before it was publicly revealed. Apparently, the company failed to do this, and now the vulnerability has been disclosed to the public.
Apparently, only 17 lines of HTML can lead to both the aforementioned browsers crashing, and can also cause arbitrary code execution. The attack primarily focuses on two variables "rcx" and "rax", and as Google's Project Zero research team points out, this can aid an attacker by modifying table properties so a web page just needs to modify the rax variable and point it to the memory they control.
Microsoft is yet to comment of the issue, and it's currently unclear if the fix for the aforementioned vulnerability was part of the company's delayed Patch Tuesday from this month. You can check out Google's detailed report here.
Source: The Register via MSPoweruser
49 Comments - Add comment