1. Computing

Google’s Project Zero publishes another Microsoft vulnerability

By

google project zero publishes microsoft browser day bug hacker keyboard dark room
Google’s Project Zero is the company’s initiative to identify and eventually publicize security vulnerabilities in software and systems, with the express purpose of compelling developers to fix them. Project Zero staff notify developers about “zero-day” bugs, or those that a developer is not aware of and can be exploited, and the team then gives that vendor 90 days to fix it before it’s publicized.

Microsoft has been at the receiving end of a few of Project Zero’s efforts, raising some questions as to whether Google’s team of white hat hackers is acting irresponsibly by revealing bugs that a developer simply hasn’t had time to fix. The most recent Microsoft zero-day bug is one involving the company’s Internet Explorer and Edge browsers, as MSPU reports.

The bug, which causes browser crashes and allows nefarious parties to execute arbitrary code, was identified by Project Zero on November 25, 2016 and then published on February 23, 2017. At that time, Microsoft had already cancelled its Patch Tuesday release of bug fixes for Windows operating systems for February 2017, pushing it off until a month later — leaving systems vulnerable to this and other bugs right as Google has notified the world of the bug’s existence.

According to the Project Zero team, exploiting the vulnerability appears to be a relatively trivial task, requiring only 17 lines of HTML code. The details are meaningful mainly to developers and those who would exploit the code, but it basically involves modifying table properties. The post does not indicate precisely which versions of Internet Explorer and Edge running on which Windows operating systems are affected.

The net result is that hackers now have all of the information they need to attack vulnerable systems. Until Microsoft issues a bug fix, which could come in the next Patch Tuesday in March 2017, there’s not much users can do to avoid the bug. As MSPU points out, you can utilize or create a separate admin account on your Windows machine and then use it to make sure your primary account is running at a limited security level. That would take away much of the damage that browsers could wreak on a system, but of course could also impact how other applications function.

Editors' Recommendations

Three things the Microsoft Surface Duo 2 needs to succeed

Surface Duo hands on image.

Update Google Chrome now to patch this critical security flaw

A MacBook with Google Chrome loaded.

Microsoft brings Windows 11 design improvements to Edge browser

microsoft edge new features for holidays

The best upcoming Xbox Series X games

everything from xbox e3 2018 halo infinite feat

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

How to pre-order all of the iPhone 13 models

Apple's new iPhone 13 Pro.

The best subwoofers for 2021

A wireless subfoor resting beside a TV.

These foldable phones just got unexpected price cuts at Amazon

The Samsung Galazy Z Fold 3 and Z Flip 3.

Google TV may add ‘free channels’ — which you almost certainly already have

App icons on Chromecast with Google TV.

The Batman: Cast, release date, and everything else we know about the movie

The Batman

Apple MacBook Air, Dell XPS 13, HP Envy x360 prices slashed — but hurry!

The HP Envy x360 15 laptop with the Windows home screen on the display.

TP-Link’s Archer GX90 arrives with a dedicated express lane for gaming traffic

TP-Link Archer GX90 is a gaming router with a d dedicated fast lane for game traffic.

The best iPhone 13 screen protectors

Best iPhone 13 screen protectors.