GOOGLE PROJECT ZERO RESEARCHER Ivan Fratric has had enough of Microsoft not fixing a severe vulnerability in Microsoft Edge and blown a big whistle on it.
This is what Project Zero does. Fratric took the issue to Microsoft last year, and the firm failed to fix it within Google's deadline so the company has, naturally, made the vulnerability public.
The bug was reported to Microsoft in November with a three-month deadline. Four days ago, this 90-day deadline expired and the information was released into the wild.
The bug, known as a type-confusion bug, affects Windows 10 and below, and is as severe as it sounds. Fratric explains that "values [data] can be controlled by an attacker (with some limitations)".
After the deadline was exceeded Fratic was asked a question by an interested party about the exploit, however, he declined to provide any more detail until the bug is officially fixed.
"I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn't expect this one to miss the deadline)," he said, before providing some anyway.
"The first step would be to determine why the type confusion occurred in the first place. Adding a type check somewhere in the vulnerable function might be sufficient, but it also might be just fixing the symptom and not the root cause. My hypothesis, given that there are 2 types of columns in DOM: html table columns and CSS columns, is that IE/Edge gets confused between the two."
Commenters who have tried out the exploit have reported mixed results, which will be good news for Microsoft. Incidentally, the exploit pin cushion has supplied Ars Technica with a comment about this.
"We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk," it said.
"Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible." µ
You can't fault them for speed
Investigation reveals that malicious code was injected into the firm's payment page
Plus the three-for-free
And it's not just on Ubuntu, neither