Google's Project Zero outs 'severe' vulnerability in Microsoft's Edge browser

Bug made public after firm misses 90-day fix deadline

Ivan Fratric, a researcher at Google's Project Zero, has had enough of Microsoft not fixing a severe vulnerability in Microsoft Edge and has taken it public.

This is what Project Zero does. Fratric first took the issue to Microsoft last year, and this week made it public after the firm failed to fix it within Google's deadline.

The bug was reported to Microsoft in November with a three-month deadline. Last week, this 90-day deadline expired and the information was released into the wild.

The bug, known as a type-confusion bug, affects Windows 10 and below, and is as severe as it sounds. Fratric explains that "values [data] can be controlled by an attacker (with some limitations)".

After the deadline was exceeded Fratic was asked a question by an interested party about the exploit, however, he declined to provide any more detail until the bug is officially fixed.

"I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline)," he said, before providing some anyway.

"The first step would be to determine why the type confusion occurred in the first place. Adding a type check somewhere in the vulnerable function might be sufficient, but it also might be just fixing the symptom and not the root cause. My hypothesis, given that there are 2 types of columns in DOM: html table columns and CSS columns, is that IE/Edge gets confused between the two."

Commenters who have tried out the exploit have reported mixed results, which will be good news for Microsoft. Incidentally, the exploit pin cushion has supplied Ars Technica with a comment about this.

"We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk," it said.

"Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."