Google goes public with Edge flaw as Microsoft misses fix deadline

Share

Interestingly, Redmond also missed the second deadline and now we have a public "Medium" security flaw sitting in Edge without a patch. But Google believes that informing users of vulnerabilities is safer, and that in doing so it will "improve both the state of web security and the coordination of vulnerability management".

The public disclosure will likely increase tensions between the two companies.

Google and Microsoft's cat and mouse game continues.

While it's good that security flaws are being reported as soon as they're discovered, publicly revealing one even before the affected company has a chance to fix it will do more harm than good.

"ACG is supposed to head off remote code execution attacks before they can make any headway", explained Sophos's Paul Ducklin in a blog post. Although most modern web browsers rely on Just-in-Time (JIT) compilers, this created complications with ACG, which forced Microsoft to transition the JIT functionality of Chakra into a separate process that runs in an isolated sandbox, which according to the company, was a hard task to accomplish.

But Google researchers nevertheless found a way to guess roughly where Edge's JIT compiler was going to allocate new memory, and to exploit it that way. Google found that the allocation of JIT memory is predictable, which could be exploited by a compromised content process to inject arbitrary code into ACG.

More news: Mega Man Legacy Collections 1 and 2 are coming to Nintendo Switch
More news: Trump to meet with those affected by Florida shooting on Friday
More news: Mets GM: Tim Tebow will play in the major leagues

Google granted Microsoft a 14-day extension to the usual 90-day disclosure period after the company complained that the problem was more complex, and therefore more hard to fix, than first thought.

On the other hand, you can argue that Google is being high-handed by applying its own opinion in the first place as if it were an objective industry-wide standard.

Despite Edge's relatively small user base, the episode is still embarrassing for Microsoft.

Nevertheless, keep your eyes open for Microsoft's forthcoming patch. Which just expired. So here we are.

Microsoft now says that it will fix this vulnerability in the March Patch Tuesday updates.

Share