Published: Tue, February 20, 2018
Sci-tech | By Carrie Guzman

Google discloses security flaw in Microsoft Edge browser

Google discloses security flaw in Microsoft Edge browser

Continuing a controversial policy, Google on Friday disclosed a major security vulnerability in a Microsoft product before it was fixed. The bug was originally shared with Microsoft on 17 November of previous year, but the company was unable to find a solution in that timeframe. Once found, Google notified Microsoft, and gave a 90-day window for the company to patch it before publicly disclosing the flaw.

Indeed, Google's move irked Microsoft so much that Windows Executive VP Terry Myerson opted to publish a blog post criticizing the search giant for their approach to the disclosure of security vulnerabilities. After confirming to Google that there's now no firm timeframe for its release, Project Zero went public with its disclosure even though no patch is available.

Nearly five years ago, Google announced that it would turn its recommendation for fixing zero-day vulnerabilities into a policy: When the firm discovered a vulnerability, it would reveal it to the software's maker and then give them 90 days to fix it.

The severity of the vulnerability ranks as "medium", and Microsoft has detailed what it considers to be the best steps for Edge users to take. Researcher Ivan Fratric was able to load unsigned code into memory from a malicious website accessed via Edge. READ NEXT:Security flaws in Microsoft software have doubled since 2013 The problem discovered by Project Zero lies in the implementation of ACG, which depends on a separate process for the just-in-time (JIT) compilation of code. The details of the patch are technically dense but, essentially, the flaw could allow for bad actors to bypass security features of the browser.

Mega Man Legacy Collection Release Date on Nintendo Switch Revealed
The first Legacy Collection contains the first six Mega Man games that originally released for the Nintendo Entertainment System. The collections may be purchased as separate digital downloads through the Nintendo eShop or as a package through retailers.

"The fix is more complex than initially anticipated", said Microsoft.

Paul Ducklin of Sophos explained that the ACG bypass found in the browser doesn't provide hackers remote code execution on its own, and that a remote code execution vulnerability in Edge must first be located.

The two companies have disagreed over publicly disclosing security issues in the past. However, given Edge's small market share, the security issue was unlikely to affect too many people though it is still embarrassing for the company.

Microsoft's Edge flaw will supposedly get its patch on March 13.

Like this: