Just last week we discussed how Microsoft did not fully address security vulnerabilities that were detected by Project Zero researchers team. To get acquainted with this group and their goals more, we recommend you read our article on the former news. Now, history repeats itself.
In this case, Microsoft’s Edge and Internet Explorer take the hit. It was revealed that both of these browsing applications contain a so-called confusion bug which can lead to an execution of arbitrary codes. What does that mean? Well, hackers would obtain remote control over a device and have the ability to execute commands. According to the researcher who discovered these vulnerabilities, there was also a problem with the process of handling information within the context rax. Due to this bug, it is possible to negatively influence the browser and uninitialized memory.
While researchers from Project Zero gave information about the discovered vulnerabilities, they did not intend to reveal too much as long as there is no patch to protect users from hackers’ attacks. Not saying too much before there is a functional fix is a crucial element for Project Zero as there has to be some restrictions in this area. But why were bugs in Internet Explorer and Microsoft’s Edge disclosed in the first place? Well, as it turns out, a period of 90 days has ended and Microsoft still did not produce a necessary fix. During the given time, the corporation had to take action and release an appropriate patch, but no such fix saw the light of day. Security researchers from all over the world were puzzled with the Microsoft’s decision to not release a monthly patch on February. The company explained very little about this situation, simply stating that some vital vulnerabilities were discovered last minute and they delayed Microsoft from producing the regular patch. As the March approaches, we hope that Microsoft will finally address all of the vulnerabilities that Google had managed to detect.
Even though we understand that Google had to publicly announce the detected vulnerabilities in two browsers, but they are basically telling the hacker community how Internet Explorer and Microsoft’s Edge could be crashed. Of course, researchers that prepared the report about this bug developed it while keeping the fact that it does not have a fix in their minds. However, we are unsure whether this is the right way to address an issue when companies are not able to fix vulnerabilities in 90 days. Maybe more time should be provided and the public announcements delayed? We cannot think of any pros that would explain the necessity for disclosure of information about vulnerabilities. Oh, wait, yes we can: good publicity for Google and its Project Zero. Even though its mission appears to be beneficial from the first glance, but we would propose some improvements to make it more logical. In our opinion, a longer period of time should be given for the companies that are informed about a vulnerabilities in their products.
Source: threatpost.com.
