Google’s Project Zero reported to Microsoft a security bug in Edge and Internet Explorer 11 on November 25th, 2016, which still hasn’t been patched. The vulnerability, identified as CVE-2017-0037, would allow remote code execution where attackers could crash browsers and execute arbitrary code.
As mentioned, the bug was reported in November last year, and was revealed to the public several days ago when ProjectZero’s 90-day disclosure deadline expired. No patch has been released by Microsoft.
More about CVE-2017-0037
Here is the official description:
In addition, Google has included a report where a proof-of-concept displays how the crashes in both browsers could be caused.
Google Surprised by Microsoft’s Lack of Reaction
Ivan Fratric, the researcher who found the bug says he “didn’t expect this one to miss the deadline”. The bug passed the 90-day deadline ProjectZero usually gives to vendors to fix address security issues.
On the other hand, Microsoft recently delayed its February 2017 patch which will be released on March 14. However, no explanation has been given for this delay. Flash Player-related issues were fixed in Edge and IE last week but there was no mention of the issue disclosed by Google.