The latest Google disclosure is about a type confusion in a module in the Edge browser and Internet Explorer.
Google's Ivan Fratric, who published a detailed write-up about the vulnerability, also released proof-of-concept code.
He wrote that his analysis was based on 64-bit Internet Explorer running in single process mode on Windows Server 2012 R2.
|
|
This is the second bug that Google has disclosed since Microsoft missed its scheduled release of security fixes in February and said it would be next issuing patches only on 14 March.
Last week, as iTWire reported, Google disclosed details of a bug in the Windows graphic device interface library that can be exploited to read the contents of a user's memory.
Apart from these two bugs that are now public knowledge, a zero-day exploit that implements an SMB3 server and affects clients connecting to it is also in the public domain.
The Google disclosures happen automatically, 90 days after the vendor is notified. The write-ups by its engineers are timed to become public after this period.
Microsoft put off its February updates due to unknown reasons; the company was due to begin a new method of updates this month.
When asked, after the first Google bug disclosure, whether it would be issuing any patches out of schedule, Microsoft responded: "Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices.
"Our standard policy is to provide solutions via our current Update Tuesday schedule."
About 400 million PCs run Windows 10, a system on which the new Edge browser is present.
