Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...
Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.

Interesting Headline

[bulled]

Why not:

Microsoft fails to patch yet another vulnerability for 90 days?

Right, because isn't so much news as status quo.

Re:but but but ..

[Billly+Gates]

Microsoft Edge running under windows is the most secure browser on the planet, Microsoft says so.

As much as it is fashionable to bash MS at this anti MS website I will ask if you think Chrome is any better? It is kind of unfair as of course Google won't disclose it's own bugs.

The problem is anything that executes programs (javascript and flash count even if they are not compiled) from anywhere on an untrusted world wide platform is stupid beyond belief!

Perhaps we can replace javascript once logic can be performed through CSS. Of course at that point I would imagine CSS would then become an attack vector.

I will bash MS on this though, SMB is a security issue (old SMB like in server 2003/XP especially) and I wonder why a browser would use this? Sharepoint integration perhaps from an era of IE 7 when MS was thinking a browser is an operating system? This should be seperated

Disclosure is a tool to get the problem fixed.

[robbak]

Actually following through with the threat to disclose in 90 days (which is far too long in my opinion) is the only way to get corporations to take vulnerability reports seriously.

Microsoft made a choice - to push their big marketing and style changes to all their users by bundling them with necessary security updates. This bad decision means that they can't push out small security-only, no-reboot-required updates on an as-needed basis. It is this profit-driven motive that makes a short disclosure period hard for them. The right way for the world deal with this is keep up the pressure, so they switch back to pushing out small security-only updates as needed when needed; to rebuild their customer's trust that Microsoft's updates won't break people's systems, won't suddenly uninstall legacy software, that sysadmins don't have to put updates through verification because they'll probably break something. This way, vulnerabilities in windows are fixed within days of them being reported.

There is zero excuse for not fixing a vulnerability for 90 days. If something makes it hard for a corporation to fix vulnerabilities quickly, then it is that something that needs to change. Responsible disclosure like this pushes corporations to make such changes.