Skip to main content

Google’s Project Zero publishes another Microsoft vulnerability

A pair of hands on a laptop keyboard with two displays.
Image used with permission by copyright holder
Google’s Project Zero is the company’s initiative to identify and eventually publicize security vulnerabilities in software and systems, with the express purpose of compelling developers to fix them. Project Zero staff notify developers about “zero-day” bugs, or those that a developer is not aware of and can be exploited, and the team then gives that vendor 90 days to fix it before it’s publicized.

Microsoft has been at the receiving end of a few of Project Zero’s efforts, raising some questions as to whether Google’s team of white hat hackers is acting irresponsibly by revealing bugs that a developer simply hasn’t had time to fix. The most recent Microsoft zero-day bug is one involving the company’s Internet Explorer and Edge browsers, as MSPU reports.

The bug, which causes browser crashes and allows nefarious parties to execute arbitrary code, was identified by Project Zero on November 25, 2016 and then published on February 23, 2017. At that time, Microsoft had already cancelled its Patch Tuesday release of bug fixes for Windows operating systems for February 2017, pushing it off until a month later — leaving systems vulnerable to this and other bugs right as Google has notified the world of the bug’s existence.

According to the Project Zero team, exploiting the vulnerability appears to be a relatively trivial task, requiring only 17 lines of HTML code. The details are meaningful mainly to developers and those who would exploit the code, but it basically involves modifying table properties. The post does not indicate precisely which versions of Internet Explorer and Edge running on which Windows operating systems are affected.

The net result is that hackers now have all of the information they need to attack vulnerable systems. Until Microsoft issues a bug fix, which could come in the next Patch Tuesday in March 2017, there’s not much users can do to avoid the bug. As MSPU points out, you can utilize or create a separate admin account on your Windows machine and then use it to make sure your primary account is running at a limited security level. That would take away much of the damage that browsers could wreak on a system, but of course could also impact how other applications function.

Editors' Recommendations

Mark Coppock
Mark has been a geek since MS-DOS gave way to Windows and the PalmPilot was a thing. He’s translated his love for…
3 reasons why Microsoft Edge is better than Google Chrome
microsoft edge chromium to roll out automatically soon chrome

There once was a time when no one used Microsoft Edge. But since the Microsoft web browser moved to use the same engine as Google Chrome, it's not so bad.

In fact, the new Microsoft Edge has even surpassed Firefox in terms of popularity. I've used Edge as my daily browser ever since it launched, and after years of using Chrome before it, there are three big reasons why Microsoft Edge keeps me coming back to it over Google Chrome.
Tracking prevention and security

Read more
Frustrated security researcher discloses Windows zero-day bug, blames Microsoft
Laptop sitting on a desk showing Windows 11's built-in Microsoft Teams experience

There's a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.

According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn't alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.

Read more
Microsoft Edge’s latest feature keeps you even more secure when browsing
microsoft edge chromium to roll out automatically soon chrome

The latest version of Microsoft Edge has a new hidden feature to keep you secure when browsing online. Known as "Super Duper Secure Mode," the feature improves the performance of websites and disables a browser engine commonly abused by hackers.

According to Microsoft, Super Duper Secure Mode works in two ways, balanced and strict. Balanced will learn what websites you use and trust them to use Just in Time Engine (JIT), which speeds up tasks in JavaScript. Strict, meanwhile, can break some websites, but will disable the Just in Time Engine for better security. Edge users can also add their own exceptions as they see fit.

Read more