GOOGLE HAS GONE PUBLIC with an unpatched Microsoft Edge vulnerability that could allow hackers to bypass one of the browser’s security features.
Ivan Fratric, a security engineer with Google’s Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory. This could, in theory at least, give attackers a way into Windows boxes via malicious websites loaded via Edge by leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.
As spotted by Neowin, Fratric told Microsoft about the flaw in November last year and provided the firm with 90 days to fix the bug before it went public.
Google, which has classified the vulnerability which as being of “Medium” severity, provided Microsoft with an additional 14-day grace period to have a fix available for its monthly Patch Tuesday release in February, but Microsoft missed this second deadline.
As such, details of the “ACG bypass using UnmapViewOfFile” bug have now been made public.
“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues,” Microsoft said.
“The team IS positive that this will be ready to ship on March 13, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays.”
This isn’t the first time Google has gone public with a flaw yet to be fixed by Microsoft, as back in 2016, the firm uncovered a major bug in the Windows OS just seven days after notifying Microsoft about it.
Microsoft last October hit out at Project Zero after “responsibly” uncovering a bug in Google’s Chrome browser.
“It is problematic when the vulnerabilities are made known to attackers ahead of the patches being made available,” Microsoft said at the time.
“We believe that it’s important to ship fixes to customers before making them public knowledge.” µ
Source : Inquirer