Microsoft is having a ‘bad day at the office’ at the moment.
At the beginning of February, it cancelled a regular monthly security update without explanation (it was to include fixes for several significant vulnerabilities). Plus, security researchers released information about how to exploit a weakness in some Microsoft server code.
Not a great start to the year.
To top it all, a recent article on the BBC website announced that Google had released details of a bug in Microsoft’s browsing program that allows attackers to build websites that make the software crash.
It stated that:
Google researcher Ivan Fratric, said the bug could, in some cases, allow attackers to hijack a victim’s browser.
The bug was found in November, but details are only now being released after the expiry of the 90-day deadline Google gave Microsoft to find a fix.
Microsoft has yet to say when it will produce a patch that removes the bug.
The problem is found in Internet Explorer 11 as well as the Edge browser and arises because of the way both programs handle instructions to format some parts of web pages.
In a statement, Microsoft did not comment directly on the bug and its significance but said it had a “customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible”.
It added it was involved in “an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk”.
The good news is that at the moment there is no evidence that malicious attackers are exploiting the problem unearthed by Mr Fratric.
The bad news is that no fix has yet been released for this vulnerability.
If we hear anything new, we’ll update you.