Google has publicly identified a "high-severity" security flaw that affects several versions of Microsoft's browser and could allow an attacker to execute malicious code.
The disclosure is complicated by the fact that Microsoft has yet to release a patch despite having been notified by Google of the issue last November. Google has a practice of going public with security issues 90 days after privately reporting issues to the software maker in question.
Ivan Fratric, the Google researcher who identified the issue, said he expected Microsoft to fix the issue before the deadline.
"I will not make any further comments on exploitability, at least not until the bug is fixed," he said, according to Ars Technica. "The report has too much info on that as it is (I really didn't expect this one to miss the deadline)."
For its part, Microsoft said it had hoped Google would give it more time.
"We believe in coordinated vulnerability disclosure, and we've had an ongoing conversation with Google about extending their deadline since the disclosure could potentially put customers at risk," a Microsoft representative told Axios.
Microsoft also canceled this month's regularly scheduled "Patch Tuesday" on which it typically issues security updates, though the company sometimes pushes especially important fixes outside the monthly schedule.