Google’s Project Zero discloses Edge browser bug after Microsoft didn’t fix it in time

Microsoft didn't make the 90-day patch window, so Project Zero shared details with the world

Google's Project Zero security team has disclosed a Microsoft Edge flaw after the Redmond firm didn't manage to fix it in time.

Details of the security bypass bug were originally shared with Microsoft on 17 November last year, but because Microsoft wasn't able to come up with a suitable patch within Google's non-negotiable 90-day fix period, the security researchers made it public.

Project Zero usually gives software companies an extension of 14 days on that 90-day window if a patch is close, but in Microsoft's case it wasn't.

Exactly 90 days post-discovery, Google revealed Microsoft's excuse, quoting: "The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.

"The team IS positive that this will be ready to ship on March 13th [2018-03-13], however this is beyond the 90-day SLA [service level agreement] and 14-day grace period to align with Update Tuesdays."

Google therefore published details of the bug immediately, revealing to Microsoft Edge users how they are to be without a patch for almost another month.

Luckily, the bug isn't too dangerous. Security firm Sophos pointed out that it isn't as bad as a remote code execution exploit. It's in fact a security bypass that could allow an attacker who has already wrested control from a user's browser to get past Microsoft's second layer of defence, known as an Arbitrary Code Guard (ACG).

"ACG is supposed to head off remote code execution attacks before they can make any headway," explained Sophos's Paul Ducklin in a blog post. "Very simply put, [it] works by locking down the memory that Edge uses to run its own software code."

An attacker who uses the flaw to get control via a webpage that Edge just loaded can't modify executable code that's already in memory, nor can they allocate new memory blocks in which to store rogue code, so Sophos suggested Edge users shouldn't worry too much about it.

"[While] this hole doesn't give crooks a direct way to take over your browser immediately, [Edge users] can regard it as a vulnerability that could make a bad thing worse, rather than a bad thing in the first place," Ducklin added.

Nevertheless, it's always best to keep your computer as safe as possible, so if you're an Edge browser user, look out for Microsoft's forthcoming patch. It might be that it's included in its next Patch Tuesday release.

Image: Shutterstock

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
Website problems slow coronavirus vaccine rollout
hacking

Website problems slow coronavirus vaccine rollout

6 Jan 2021

Most Popular

Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021