Google Publishes Second Unpatched Windows 10 Flaw In A Month

Google has released the details of what it says is a “critical” unpatched security flaw affecting Microsoft’s Windows 10 Edge and Internet Explorer 11 browsers as part of its controversial Google Zero bug-hunting programme.

As part of an advisory automatically published 90 days after Google’s initial disclosure of the bug to Microsoft, the search company published proof-of-concept code demonstrating how the flaw could be triggered.

Exploit code published

The publication of exploit code, and the lack of a patch, means attackers could use the information in the advisory to launch attacks targeting the affected browsers.

Microsoft cancelled its regular monthly update for February, citing a last-minue issue that could have affected usability, and it’s possible a patch for the bug – which Google disclosed to it in November – may have been included in that update.

The company may either release an out-of-cycle patch for the flaw or fix it in the monthly update for March.

Microsoft did not immediately respond to a request for comment, but in November, when Google published the details of an unpatched bug that was being actively exploited by hackers, the company said the disclosure was “disappointing” and put users at risk.

‘Critical’ flaw

This is the second time this month that Google Zero has published an unpatched bug in Microsoft’s software, but the previous issue, affecting the Windows Graphics Device Interface (GDI), was ranked only “medium” in severity.

The latest bug is more serious, according to Google’s advisory, which says the flaw can be used to crash Windows 10 Edge and Internet Explorer 11.

The “critical” severity rating indicates attackers could potentially exploit the crash to carry out further actions, but these aren’t specified in the advisory and Google researcher Ivan Fratric, who initially reported the bug, declined to offer more details.

“I will not make any further comments on exploitability, at least not until the bug is fixed,” he wrote in an addendum to the advisory. “The report has too much info on that as it is (I really didn’t expect this one to miss the deadline).”

Google says its adherence to strict disclosure deadlines is intended to put pressure on vendors to issue patches, but vendors and security researchers have criticised the programme for putting users at risk.

“Regardless of whether Microsoft should have issued a patch for this flaw or not by now, I am left baffled as to how Google can think that its disclosure of this vulnerability and publication of exploit code is a good thing,” wrote security expert Graham Cluley in a blog post.

Do you know all about security in 2017? Try our quiz!