Google reports 'high-severity' Windows 10 bug in Microsoft Edge with no patch available

Google's Project Zero security research team has discovered a bug with severe vulnerability on Microsoft Edge, more popularly still referred to as Internet Explorer by many. But the bug affects both the Microsoft Edge and Internet Explorer 11.

The latest vulnerability not only impacts Windows 10 but other iterations of the operating system as well and stems from what's known as a type-confusion bug. It allows remote attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code. Just 17 lines of HTML coding in this case can lead to both the browsers crashing.

Researcher Ivan Fratric of the Google team, who spotted the bug, says he sent his assessment to Microsoft on 25 November. Generally, when any vulnerability of this scale is found, it is standard for Google to give the company, which is Microsoft here, a 90-day window to patch the issue before it is made public. Fratric says the window passed and yet no patch is available.

Shortly after Fratric made the vulnerability public, Microsoft issued a statement saying: "We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk. Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible."

There is still, however, no suggestion, workaround or patch for Windows 10 users to follow and protect their systems.

The latest disclosure is the second time in a week that Project Zero researchers have reported unpatched security vulnerability in a Microsoft product. Last week, Project Zero researcher Mateusz Jurczyk published details of a flaw in Windows that exposes potentially sensitive data stored in computer memory.