A Google researcher has disclosed a serious security flaw that could make Microsoft's Internet Explorer 11 and Edge browsers unsafe to use for the time being. Microsoft has not said when it will patch the flaw, leaving millions of people around the globe at potential risk. (The next Patch Tuesday round of security updates are scheduled for March 14.)
According to Google Project Zero researcher Ivan Fratric, whose report on the flaw was made public late last week, the problem relates to how IE11 and Edge format web pages. Malicious hackers taking advantage of the flaw could build fake websites that would cause the browsers to crash, as Fratric demonstrated in his notes.
That alone isn't such a huge problem, but the flaw could also be exploited — Fratric wouldn't say how — to let those same malicious sites take control of your systems.
There's no evidence yet that anyone has exploited the flaw. But because it remains unpatched, malicious hackers may now be seeing the announcement and making webpages that could take advantage of it. We recommend not using IE11 or Edge until a patch is ready.
MORE: 12 Computer Security Mistakes You're Probably Making
Fratric tried to avoid revealing more details about the vulnerability.
"I will not make any further comments on exploitability, at least not until the bug is fixed," he wrote in his bug report. "The report has too much info on that as it is (I really didn't expect this one to miss the deadline)."
However, the U.S. government's National Vulnerability Database gives more clues, stating that: "Microsoft Internet Explorer 11 and Microsoft Edge have a type confusion issue … [that] allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element."
"Yeah, I would say that was too much information," a commenter on Ars Technica observed.
Fratric said he alerted Microsoft to the flaw in November, and disclosed it only after the end of Google Project Zero's 90-day disclosure deadline, which lets companies fix affected products within three months. (If the vendor says a flaw will be fixed within 14 days of the deadline, Google will hold off disclosure.)
The move is probably a good one. By making the information public, Google places additional pressure on Microsoft to determine what's going on and come up with a solution.
For its part, Microsoft said in a statement provided to the BBC that it has a "customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”
Internet Explorer 11 and Edge users are left with little to go on, and no way of mitigating the problem except hoping for the best.
To safeguard yourself, your best bet may be to stop using Edge and Internet Explorer 11 altogether and move on to something else. (Older versions of Internet Explorer may also be vulnerable.) Mozilla Firefox, Opera and Google Chrome are not believed to suffer from the same problem.
