Google's Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google's 90-day disclosure deadline.

This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month's Patch Tuesday and postpone its previously planned security fixes until March.

Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a "last minute issue" that could have had an impact on customers, but the company hasn't clarified the nature of the problem.

Some people have speculated that the problem might be related to the Windows Update infrastructure and not a particular fix, but the company pushed out a Flash Player security update on Tuesday, which suggests that if there was an infrastructure problem, it is now resolved.

The newly disclosed vulnerability is a so-called type confusion flaw that affects Microsoft Edge and Internet Explorer and can potentially allow remote attackers to execute arbitrary code on the underlying system.

"No exploit is available, but a PoC [proof-of-concept] demonstrating a crash is," Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. "This PoC may provide a good starting point for anyone who wants to develop a working exploit. Google [Project Zero] even includes some comments on how to possibly achieve code execution."

The Risk Based Security researchers have confirmed the potentially exploitable crash for IE11 on a fully patched Windows 10 system and have assigned a CVSS severity score of 6.8 to it, treating its impact as potential code execution.

On Feb. 14, after Microsoft announced its decision to postpone the February patches, Google Project Zero disclosed a memory disclosure vulnerability in Windows' GDI library.

Computerworld