Google again disclosed the vulnerability of another unpatched Window security flaw, as Microsoft did not act within its 90-day disclosure timeline.
Besides this, Google last week disclose an unpatched vulnerability in GDI Interface (Graphic Device Interface) library, which affects Microsoft’s Window operating system ranging from Window Vista to Window 10.
This month has been interesting for the bug hunters, with Google successfully done the collision attack of SHA-1 and the discovery of the Cloudbleed attack that caused leakage of sensitive information like username, password hosted on CloudeFlare server.
And the best part is both the flaw was discovered by Google Project Zero.
What is Google Project Zero?
It is a little-known research group whose focus is finding security vulnerabilities.
Who Discovered The Flaw?
Now again Google Project Zero researcher Ivan Fratric discovered the vulnerability (CVE-2017-0037) which is dubbed as “type confusion flaw” which lead attackers to execute arbitrary codes in Microsoft Edge and Internet Explorer.
Google Project Zero has disclosed this flaw, while the Window vulnerability has yet to be patched.
The Google Project Zero researcher has already published the details of arbitrary code execution flaw and proof-of-concept that can crash Microsoft Edge and Internet Explorer, an attacker can execute arbitrary code and can gain administrator privileges on the victim system.
The vulnerability affects all Window 7, Window 8.1 and Window 10 users.
Ivan Fratric says he successfully ran his proof-of-concept on the 64-bit version of Internet Explorer on Window Server 2012 R2, but both 32-bit Internet Explorer, as well as Microsoft Edge, is affected by this flaw.
When Is It Reported?
Dubbed name Type confusion flaw, was reported to Microsoft November 25, and went public on Febrarury 25, after Google Project Zero 90-day disclosure property.
You can get more information about the disclosed flaw on Google Project Zero Bug Report Page here along with Proof-of-concept.
The POC released by Project Zero can be used by hackers to build more advanced malicious code, thus making Window user unsafe now.
Vulnerabilities Disclosed But Are Still Unpatched.
Yes, Microsoft has two unpatched vulnerability and which are already been disclosed with working proof-of-concept, giving hackers great time to target and generate more sophisticated exploits for Window users.
Microsoft has delayed this month patch, it is still unsure that Microsoft will release the patch for two disclosed vulnerability by Google Project Zero in its next patch schedules.
Two of the vulnerability still unpatched are:
Window SMB flaw that affects Window 8, Window 10 and Window Server users. The POC code for this flaw has been released two weeks ago.
And other flaw discovered is GDI Interface (Graphic Device Interface) library bug which affects Microsoft’s Window operating system Window Vista to Window 10.
- Not to use Microsoft Edge and Internet Browser meanwhile and switch to another browser, if possible until the disclosed vulnerability is patched by Microsoft
- Avoid clicking suspicious links and website.
Get more stuff like this
in your inbox
Subscribe Us And Get Latest Tech News, Hacking News, Science News, And Latest Gadgets News Directly Delivered To Your Inbox
Thank You For Subscribing. Verification Email Has Been Send To You. Please Verify !
Something Went Wrong.