As we mentioned in a previous article, Windows OS have some serious security issues that need to be fixed. Unfortunately for the users, Microsoft decided to skip their last monthly update scheduled for this February. The monthly release of security fixes from Microsoft is formally known as Patch Tuesday. Usually, Microsoft issues the updates around 10 a.m. PT (1 p.m. ET) during second Tuesday of a month.
Instead they posted this message on Microsoft Security Research Center (MSRC) blog on 14th February.
“We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today. After considering all options, we made the decision to delay this month’s updates.”
So, as a result Microsoft exposed its users towards great risks for more the next 30 days. It is generating a good number of negative review from security experts. This is not the first time we are seeing security issues with Microsoft products.
Meanwhile, on Monday, Google Project Zero Team has announced that they have found a “high severity” vulnerability in Microsoft Edge and Internet Explorer browsers. This vulnerability could allow remote attackers to execute arbitrary code.
As part of Project Zero’s policy, Google publicly discloses a vulnerability only after 90 days have elapsed from the time the bug was privately disclosed to the conceding authority or company. It does not matter whether or not issue has been patched by the company in question. So it is clear that Microsoft had known about this issue for the last 90 days and yet to fix it!.
This vulnerability was reported to Microsoft on November 25, and it went public on February 25, after Google Project Zero’s 90-day disclosure policy.
The vulnerability (CVE-2017-0037) identified by Project Zero is tied to a flaw in Windows 10 Edge and Internet Explorer 11. This is described as a type of confusion vulnerability in “HandleColumnBreakOnColumnSpanningElement” – a parameter used in website tables. A confusion vulnerability refers to a condition when a web application is tricked into thinking an object is something else.
Project Zero also reported the vulnerability, based on how the browsers handle data within the context rax, can be used to crash the browser and impact uninitialized memory.
To know more about this security issues with Microsoft, you can see blog post on Google Bug Report site along with its proof of concept.
Thank you for your interest on security.
Stay Safe.
