Security researchers have discovered a flaw in Microsoft’s web browser that could allow cyber criminals to take over the software under certain circumstances.
Google Project Zero’s Ivan Fratric reported the flaw in Edge and Internet Explorer to Microsoft last November, but went public with it this week after the tech firm failed to fix it within 90 days.
The vulnerability centres around the way the browsers handle certain formatting and page elements. It means that hackers could potentially build malicious websites that cause their victims’ browsers to crash and in some cases grant attackers control of the software.
According to the BBC, Fratric will not describe the flaw in more detail until Microsoft has patched it, and there is no evidence that attackers are exploiting it in the wild.
Microsoft did not directly comment on the vulnerability, but said it was committed to investigating security issues and said it was having “an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk”.
This is not the first time Google researchers have gone public with a flaw in a Microsoft product before the technology giant has released a patch to protect its users.
In November last year, Microsoft criticised Google for publishing details of a Windows zero-day flaw that it had not had time to fix. In that case, Google had given it a week’s notice.
“We believe in coordinated vulnerability disclosure, and [this] disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said at the time.
In his explanation of the newly-discovered Edge and Internet Explorer vulnerability, Fratric said he “really didn’t expect this one to miss the deadline”.
According to W3Counter figures from January, Microsoft’s web browsers – Internet Explorer and Edge – are used by around eight per cent of web users.
Photo: copyright golubovy, under licence from Thinkstockphotos.co.uk