Google’s Project Zero vulnerability research team has published details of a flaw in the Microsoft Windows 10 Edge and Internet Explorer 11 browsers that allow them to be remotely crashed – without waiting for a fix to be released.
The vulnerability, which Google has classified as “high severity”, was detailed by Google Project Zero security researcher Ivan Fratric, who privately shared details with Microsoft back in November.
With Google’s self-imposed deadline of 90 days now expired, it has gone public with details of the flaw – in effect, telling the world how to crash the browser.
But could more be done with the flaw than this? When questioned, Fratric appeared to be concerned that exploitation could lead to more serious consequences than just the browser crashing:
“I will not make any further comments on exploitability, at least not until the bug is fixed. The report has too much info on that as it is (I really didn’t expect this one to miss the deadline).”
In other words, Fratric himself doesn’t seem entirely happy with the the details and proof-of-concept code having been made public before Microsoft had issued a patch.
Nonetheless, he and his Google colleagues have published the details. And anyone who relies on the Edge and Internet Explorer 11 browsers is left sitting waiting for a fix.
Regardless of whether Microsoft should have issued a patch for this flaw or not by now, I am left baffled as to how Google can think that its disclosure of this vulnerability and publication of exploit code is a good thing.
This is an ongoing story: Google keeps finding flaws in other vendors’ products, and making the details public before fixes are rolled out.
I have to question whether they are giving software companies enough time to fix and test their products, and whether it is really responsible to release proof-of-concept code onto the net which attackers could potentially exploit.