Nasty flaw found in Microsoft’s browsers leaves surfers on edge

Reportedly affects IE 11 and Edge, but there’s doubt on the latter

Do you run one of Microsoft’s web browsers rather than Chrome or Firefox (or indeed another alternative)? Then be warned that a severe bug has been uncovered which could allow a malicious party to crash your browser, and reportedly even pull off a hijack of either Internet Explorer 11 or Edge.

This finding comes courtesy of Ivan Fratric, a security researcher at Google Project Zero, who uncovered the flaw last November, as the BBC reports. Microsoft hasn’t taken action to patch it, though, so Fratric has made his discovery public after the expiration of Google's standard 90-day disclosure deadline.

The exploit is leveraged via a problem with the way these browsers deal with web page layout and formatting instructions, and according to the researcher, it can be used to crash the software, and potentially allow an attacker to execute arbitrary code on the victim’s browser.

Given that it remains un-patched, Fratric declined to reveal more about the vulnerability, writing in a Chromium bugs forum post, “I will not make any further comments on exploitability, at least not until the bug is fixed. [My] report has too much info on that as it is (I really didn't expect this one to miss the deadline).”

All that said, there’s currently no evidence that malicious types are actively using this exploit as of this writing.

Cutting-Edge browser?

Furthermore, in that same Chromium discussion thread on the matter, several posters have claimed that they can’t successfully reproduce this issue on Microsoft’s Edge browser. However, they can replicate it with Internet Explorer 11.

So, Edge may not be vulnerable if you put stock in those particular comments. Fratric based his report on demonstrating the vulnerability in IE 11 64-bit, but claims that the 32-bit version of IE and Microsoft Edge should “behave similarly."

At any rate, this is clearly a major gremlin which is worth knowing about, and hopefully now that knowledge is public and widespread, Microsoft will be fixing the appropriate holes pronto.

Microsoft declined to comment on the issue when contacted by the BBC, but did say that it operates with a commitment to “investigate reported security issues and proactively update impacted devices as soon as possible”, and further added that it was talking to Google about extending the 90-day disclosure deadline to avoid putting customers at risk.

We’ve contacted Microsoft for further comment on the matter, and will update this story with should we receive one.

This is obviously slightly embarrassing for the software giant, because Microsoft hasn’t been shy about hyping Windows 10 and Edge in terms of their security chops.

Given previous boasts that Edge is the browser to use if you want security, it hopefully isn’t the case that there’s currently an major, un-patched flaw in Edge that could have been fixed a considerable time ago.