Here comes Google, creating trouble for Microsoft once more. Google’s in-house zero-day exploit-discovery team, Project Zero, have discovered a zero-day vulnerability in Microsoft’s Internet Explorer and Edge browsers.
Technically, Project Zero found this exploit about 90 days ago; the Google team possesses expertise in discovering zero-day exploits and reports them to the relevant people who can fix said exploits.
Once an exploit is discovered and reported, Project Zero waits 90 days for the concerned people and companies to release a patch. Unfortunately, Microsoft failed to release one, and now Project Zero has released the exploit in the wild, for everybody to use.
It’s harsh, but it’s how Project Zero works. It’s not the first time this has happened to Microsoft either. But, there’s not much the Redmond giant can do about it, except for fixing the vulnerabilities as soon as possible.
The bug was first discovered on November 25th. If exploited, it allows a malicious website to crash the visitor’s browser. In addition to that, it can also execute code. The latter part is the scary one, of course.
Project Zero has detailed the bug publicly and is even offering a 17-line proof-of-concept. Although it’s not very difficult to find, we will not link to this for obvious reasons.
Everyone on Windows 10 – even if updated to the latest Insider build – remains affected by this bug and can be targeted using this exploit. That’s what makes the power that Project Zero wields very dangerous.
Google’s Project Zero holds an important place in the industry. For those who intend to cause harm will continue to find new exploits to do so, and thus, the industry must stay one step ahead of them.
What Google is doing with Project Zero not only keeps Google’s own services safe and secure but also keeps the rest of industry on its toes. Microsoft has failed to meet Project Zero’s 90-day deadlines multiple times, putting users at risk.
It just shows how slow and difficult it is for Microsoft to fix and patch its software. Sure, Windows powers over a billion devices, but that just makes the security an even higher priority.
However, with great power comes great responsibility. Google’s Project Zero should perhaps try shaming those who fail to meet the deadline, rather than releasing a zero-day bug in the wild for anyone – even the evildoers – to exploit.
Via: The Register