Microsoft's web browsers, the Internet Explorer and later Edge, are packed with a lot of features. But in many cases, the way they work just don't match how others work, and that frequently made them a problem to be with.
Occupying eight percent of the market, the two web browsers have been discovered to have a major issue. Google has disclosed a still-active vulnerability in the two browsers that Microsoft apparently ignored.
The flaw on the two browsers, allow attackers to build websites that can make the software crash. The person who discovered the flaw was Google engineer Ivan Fratric. He said that the bug could, in some cases, allow attackers to even hijack the victim's browser.
The bug on Internet Explorer and Edge was first discovered in November. At that time, Fratric contacted Microsoft, and gave it 3 months to apply a patch before releasing the details to public. Since Microsoft seems to ignore the case, after the 90-days deadline, Fratric publishes his report.
The problem lies in Internet Explorer 11 as well as Edge browser in a way they handle instructions to format some parts of web pages.
Going through the details, the two web browsers have a type confusion issue in the Layout::MultiColumnBoxBuilder::HandleColumnBreakOnColumnSpanningElement function in mshtml.dll.
This allows attackers to execute arbitrary code via vectors involving a crafted Cascading Style Sheets (CSS) token sequence and crafted JavaScript code that operates on a TH element.
In a statement, Microsoft did not directly comment on the bug, but said it had a "customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible." It also added that it was involved in "an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk."
Previously, Microsoft had issues in delivering its monthly regular update without any explanation. The update that didn't happen, was expected to include fixes for vulnerabilities, including a patch to the bug that Fratric found.