Google recently disclosed the vulnerability of Microsoft browsers like Edge and IE after the deadline of 90 days as Google has a policy to unveil the vulnerability in case the specified company don’t publish patch within the time period. Microsoft is responsible for providing on time updates and fixes for all reported vulnerabilities and exploits IE and Edge.
This specified issue found is defined as the type confusion in HandleColumnBreakOnColumnSpanningElement. As per the Project Zero team of the Google, the vulnerability may lead to arbitrary code execution on the machine. The attacker can also crash web browsers.
This zero day vulnerability was found on 25th November, 2016, but publicly released on 23rd February 2017. This security issue is still unpatched. The delay to provide security patches for such vulnerabilities affects the users as they can get harmed by attackers. To save the users from being compromised in the hands of attackers, company needs to publish security patches on priority basis.
The deadline of 90 days forces companies to provide fixes for security issue without any delay. If this policy of Google doesn’t exist, it can cause to carelessness from the specified companies.
Microsoft postponed Patch Tuesday for the month of February due to the last minute issue which was not unveiled before the users. It seems that the vulnerability which is disclosed now by the Google may also be one of the issues as Microsoft was not supposed to postpone the Patch Tuesday due to minor issues.
If you want to check the deep details about the zero day vulnerability of Edge and IE, you can go through the technical codes (evidence of vulnerability) published by Google on its Project Zero website.