Wellington-based ICT security company, Security-Assessment.com — owned by Dimension Data — says it uncovered vulnerabilities in the Microsoft Edge and Internet Explorer browsers for which Microsoft issued patches in May.
It said the vulnerabilities would enable attackers to obtain sensitive information and potentially run malicious code on victim machines.
The company said the vulnerabilities were discovered by its principal consultant Scott Bell, who had reported numerous vulnerabilities to Microsoft in the past.
Bell said: “Security-Assessment.com follows responsible disclosure guidelines. This means alerting the vendor to the vulnerabilities immediately and not releasing information about the vulnerabilities until they are fixed to prevent malicious actors from actively exploiting the vulnerabilities.”
Security-Assessment.com says it was the first ethical hacking security company set up in New Zealand and claims to have developed its own in-house, proprietary methodologies to discover vulnerabilities.
Microsoft’s acknowledgements web site — which has not been updated since March — lists the most recent vulnerabilities uncovered by Bell as being in March. It applies to Microsoft Edge only and is described as critical “The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge,” Microsoft said.
“An attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.