Google's Project Zero reveals vulnerability in Internet Explorer and Microsoft Edge

Google's Project Zero has exposed another security flaw in Microsoft software — this time in Internet Explorer and Microsoft Edge. As reported by The Register, the flaw was first disclosed to Microsoft on November 25, but has now gone public after exceeding Project Zero's 90-day disclosure deadline without a patch.

The bug in question could allow a website to crash the browser and execute code with just 17 lines of HTML. If you're into the nitty-gritty technical details of the issue, you can dive into the full explanation of the flaw at Project Zero's post.

This isn't the first time Google has publicly outed a flaw in Microsoft software without a patch being issued. Most recently, the two software giants butted heads in late 2016 after Google disclosed a bug in Windows just days after alerting Microsoft. Similarly, January of 2015 saw Google publish a Windows 8.1 vulnerability just days before a patch was set to go live.

It's not clear when or how quickly Microsoft might issue a fix for this particular flaw. The company curiously delayed its usual monthly round of fixes for February, noting that they'll arrive with March's Patch Tuesday on March 14. However, the company did issue a fix for a critical Adobe Flash bug just days later, so there's a chance we could see a security fix outside of the usual monthly schedule.

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

  • It would be great for you to also look at and report the actual bug report and POC data. The author "thinks" MS Edge (only found in Windows 10) "should" behave just like IE11 on Windows Server 2012. A user "Comment6" states they cannot repro it with MS Edge 38.14393 or higher.
  • When I save the snippet to an htm file and open it does crash the tab in Edge.  So Edge does crash when running this.
  • And all I get it "This page is having a problem loading" with Edge 40.15042.
  • That is what Edge does when the page render causes a crash. Which is what this is about.  If there were no issues you'd have a blank page or something. If you look in your Windows Event log under Application you'll see the crashes.
  • Not quite. IE11 outrights crashes as a whole, and causes the entire iexplore.exe to stop, resulting you needing to re-open IE. Edge just tried to re-load the page, can't and displays the message, unaffecting my browsing experience.
  • Actually Edge is worse: - First visit to page, crash and install rootkit - On second refresh of page when tab crashes and reloads - read cookie saying already run and then don't crash.  Display full page.  User doesn't know. In IE - crash and user wonders if something happened.
  • And where are you getting the difference in Edge behavior from?
  • realwarder you assume this crash can be exploited. There is no evidence that it can be. Crashes are safer inherently than buffer overruns and the like. What good is a process that terminates to an attacker?
  • IE12? IE11 is the lastest and final version of that browser. There's no version 12.
  • Thanks for pointing that out. I know better. Fixed.
    Most of us want to have good income but dont know how to do that on Internet there are a lot of methods to earn huge sum, but whenever Buddies try that they get trapped in a scam/fraud so I thought to share with you a genuine and guaranteed method for free to earn huge sum of money at home anyone of you interested should visit the page. I am more than sure that you will get best result.<br>&&&ttt
    Best Of Luck for new Initiative
  • #Scroogled. I feel like Project Zero is a litteral hostage situation. You do this now or else. Screw that. 
  • How so? Google gave Microsoft 90 days worth of notice before going public with it. At some point, users need to know so they can take appropriate measures to keep themselves safe. 
  • Because this all gets complicated when they have to make sure that everything works still when applying the fix. Its like the last time they ran up against the 90 day windows and Google basically said, "Screw you, even though you said you needed another week to do it on patch tuesday we are going to release it anyways." Just another reason to not like Google. They are that arrogant brat of a kid on the play ground. And, in many cases, the people who bully someone into doing something, no matter what comes up, or else.  Oh, and they tell people what is going on when they first release the info. At 90 days they expose the code to do the exploit. I wonder if they have this same policy on the bugs they catch themselves... Probably not.
  • And while Microsoft keeps twiddling their thumbs, users are exposed to vulnerabilities. 90 days is plenty of time to get a fix for this out. 
  • Wow, how many systems do you write software for? 
  • Most likely more than you.
  • I've always hated this argument, it's like if you went into a hairdresser and they gave you a ****** haircut you'd just be fine with that because "oh, I couldn't have done any better"? No, you would rightfully have reason to complain because that is their job and they should know what they are doing, the same logic applies here.
  • Thanks to Google, they most definitly are now...
  • 90 days is too long. They should make public the flaw and recommend workaround so that their user remain protected while they are working on a fix.
  • The problem is Google deciding for MS how long it should take to fix. There is no value to going public other than embarrassing a competitor.
  • And to warn users. You think Microsoft would disclose their own bugs? 90 days is a long time, it should be even shorter for a company with as many resources as Microsoft. 
  • No it's not, some bugs take longer to determine the cause and apply a fix, then if it's applied does it actually stop the attack vector or introduce a new one. It's easy finding bugs, but determining what causes the bug is a lot more difficult especially if it's a multi-chained bug. Public disclosure should only happen when there's a zero day in the wild, otherwise this will create the situation of MS releasing a untested patch that could break x generations of code or cause another zero elsewhere. One transposed letter can be the difference between working and non-working code and good luck finding that when you have multiple classes, functions and libraries.
  • CERT gives 45 days before public disclosure: Twice that is generous, especially for the largest software vendor in the world. 
  • This makes the Google deadline very reasonable then.
  • This is a high severity sercurity bug. There is simply no excuse that (almost) 3 months are still not enough to fix that.
  • I don't see why. So some very specific HTML crashes the tab. What's the issue? If your site is affected, your site crashes. You hurt yourself. I don't see any mention of a useful exploit of the crash, or if it is at all possible.
  • Google still uses windows on a lot of it's PC's etc. In fact they are probably one of Microsoft's biggest customers. So they have as much reason as you or I to be worried about security issues.
  • None of them have Edge or IE11. That's why gmail, eBay, and just about every other Google webpage crashes or freezes Edge on my PC.
  • And yet google haven't fixed their broken crashing OS called Android in 7 years. Lol. Pot calling the kettle black.
  • what measures sre users supposed to take if there is no available fix? This has nothing to do with user safety.
  • I like when google does that. They help make windows OS better, it's like they give feedback to Microsoft. Google is the best insider ever hahahaha
  • If MS did the same thing to Google, Google would probably sue them.  I'm kind of mad that they are allowed to publicly release information that makes everyone using Edge more vulnerable, with no repurcussions.  Yeah, MS should fix it, and Google should tell them that there's an issue if they know about, but for Google to tell everybody?  Also, why is Google deliberately going through and trying to crash Edge, if for no other reason to have an excuse to smear MS?
  • Don't forget. Google uses windows on most of their Computers at their numerous sites. Not to mention all the servers they may have running Windows. Google is probably one of Microsoft's biggest customers.
  • Microsoft has done the same to Google, it has done the same to Linux, etc. etc. This is standard practice and nothing special. Google just spends a much larger amount of money/resources inspecting other people's systems than MS/the rest because they have no systems of their own.
  • And forget bout vulnerability on their own Android platform
  • Including one that will never be patched on older versions of Android
  • How about all the windows XP bugs that won't get patched?
    Android fixes also depend on the phone manufacture to make the patch and often the carrier to test and approve them. If windows patches depended on Dell or HP or whichever computer maker, windows would be much worse off.
  • if you haven't know XP already EOL. I got my security update pretty much every month directly from MS no need to wait for pc OEM. That is why MS better way doing updates.
  • I hope no one gets damaged by this exploit that Google just told everyone about. But if they do, I hope Google has to pay for it. Google breaking things and trying to find stuff is fine. Them telling people their is a problem is fine. Them blabbing to the public and demonstrating it so malware can start using it is not fine. 
  • And at what point should someone tell the user they're vulnerable?
  • That decision should be left to Microsoft, not Google. All Google should do is pass details on to Microsoft.
  • JUST F... google...
  • Why? For telling users they're vulnerable? For calling Microsoft on their lazyness? 
  • For not fixing their own battery hogging Chrome browser for like forever?
  • Battery life got significantly better after Chrome 53. That comment is outdated.
  • And lately Edge is unusable with google services like gmail, calendar docs, it totally screws the usability of my SP3. It's funny, it used to be reverse where I switched to Edge last spring cause it was destroying chrome at it's own stuff.  At this time, the past few weeks, it got flipped.  So either Edge lost something somewhere or something changed in the google services to make it less performant on Edge.  Will never know I guess, but I just know from experience cause I have google services for work I use everyday.
  • It wouldn't be the first time a website broke their content for a specific browser.  I have seen it before on Google and Apple sites.
  • Interesting. I had those problems ever since Edge was released with Windows 10. After a few months of wanting to kick my PC, I got the sudden urge to reinstall the bloated, buggy Chrome browser which magically appeared to have been patched to work butter smooth. Ahhh, screw you Google and your corporate games with MS. I switched all my services to Microsoft except YouTube, MS doesn't have anything to match YouTube. Google is playing cat and mouse with Microsoft by first sabotaging Chrome on Windows to create interest in their browser friendly Chromebooks, then MS launched Edge to give back what Google sabotaged only to have Google sabotage their own services on Edge to get users to go back to their Chrome browser that they patched up to better compete with edge. Funny thing is, Microsoft is just rolling with the punches and getting smarter with every blow Google delivers.
  • There are apps for that, mail, calendar.
    But even better: Do you know there is actually a Google app in the store? It's like a sandbox browser for all the Google services. That is great way to use them, whenever I have to, without polluting my normal browsing in Edge with Google's tracking, analyzing, etc.
  • Why not just use chrome?
  • Thanks to Google some blind fanboys over here will whine while they just did a greater favor
  • Yes, that why they are called fanboys. Blaming Google for Microsoft's slowness in release a patch for a high-severity vulnerability. 90 days not enough. Really?
  • Imagine if MS did this to Google Software. Jesus. Googles software screws up more than anyone's.
  • Microsoft does do this to Google. Google just tend to fix the problem within the allowed period.
  • Yet how many lines of code do Google have to go through compared to Microsoft to patch a vulnerability!!!!!
  • if MS would just do the same with Google......
  • What a bunch of a-hole
  • Isn't it time for Microsoft to claim, "For security reasons, we will no longer allow 3rd party browsers to run on Windows. Google agrees, by calling out a flaw in our own Web Browsers, that security is of utmost importance. Dropping 3rd party browsers will allow us to spend more time improving security on Windows instead of introducing more security risks by allow 3rd party browsers." Or something like , "Over 400 million Windows 10 users and still no official YouTube app. Well, how about over 400 million Windows 10 users and no Chrome support." Sounds fair to me.
  • 90 days should had been enough. For the sake of secuity of the user, they should even add warnings to the build-in Windows Defender "We have been alerted to a security flaw in X program/app, while we fix it, we advice you to use THIS, as an alternative."   This is my no means user-friendly, because most users will not care about this kind of security issue anyway, but it certainly is the right thing to do from a security perspective :)