UPDATED 21:38 EST / FEBRUARY 19 2018

INFRA

Google publishes Edge security flaw details after Microsoft misses deadline

Google LLC has gone public with the details of a critical security flaw in Microsoft Corp.’s Edge web browser after Microsoft failed to patch the vulnerability despite being given a 90 day deadline to do so.

The vulnerability relates to an issue with Arbitrary Code Guard, a security measure added to Edge last April as part of the Windows 10 Creators Update. Dubbed “ACG bypass using UnmapViewOfFile,” the details in the disclosure are highly technical, but the short version is that the flaw allows hackers to predict the memory space Edge is about to use and then inject their own code into the browser to hijack data.

Worse still, that code injection can be delivered via a malicious website, not just by gaining direct access to a victim’s computer.

Google’s Project Zero team notified Microsoft of the vulnerability and proof-of-concept attack on Nov. 17, giving Microsoft an initial 90 days to address the issue. On Feb. 13, Microsoft responded by saying that “the fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.” It added that it hopes to have a fix ready to ship March 13.

Although Microsoft promised a fix will be forthcoming, Google isn’t generous when it comes to giving deadline extensions, publishing the vulnerability over the weekend in line with its 90-day disclosure policy. This isn’t the first time Google has published vulnerabilities in Microsoft products after the software giant missed a 90-day deadline, upsetting it by publishing details at various times over the years, including Windows vulnerabilities in 2015 and 2016.

The good news for the few people who use Microsoft Edge — under 5 percent of the market as of January — is that the exploit has not yet been detected in the wild. That said, now that it has been disclosed, and with Microsoft still three weeks away from fixing it, there’s every chance that crafty hackers will be exploiting it shortly.

Image: okubax/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU