Not content with publishing details of an unpatched Windows bug, Google has now gone public with a security vulnerability in both Microsoft Edge and Internet Explorer. Going under the description of “Type confusion in HandleColumnBreakOnColumnSpanningElement”, the bug has the potential to allow an attacker to execute malicious code.
The vulnerability has been assigned the code CVE-2017-0037, and details of the flaw have been published under the terms of Google’s Project Zero. Microsoft was notified about the problem 90 days ago, and as the company failed to patch it Google has made the problem public.
An explanation of the browser bug can be found on the Project Zero website, and while the issue has been found in the 32-bit version of Internet Explorer specifically, the 64-bit version of IE, as well as Microsoft Edge, are said to be vulnerable to the same exploit.
As Microsoft has not commented on the discovery, it is not clear whether the problem was due to be fixed in this month’s Patch Tuesday. Microsoft did go as far as releasing a security patch for Flash, but the remainder of the scheduled patches for February have been pushed back into March.