Skip to main content
  1. Home
  2. Computing
  3. News

Microsoft misses another Edge-related 90-day security disclosure deadline

Add as a preferred source on Google

Google’s Project Zero team released a report identifying another security flaw in Microsoft Edge. The team traditionally provides 90 days for developers to fix the uncovered issue(s) and exposes said issue(s) if they are not resolved within that timeframe. That means Microsoft didn’t respond to the team’s initial bug report, thus Project Zero is now coming forward with its findings. 

But Microsoft isn’t simply ignoring the report. The company deems the issue as “important” rather than “critical” because hackers can’t remotely take advantage of the Microsoft Edge security hole. Instead, they must execute code locally on the target PC using a normal privilege level. But the researcher who discovered the vulnerability deems it as “high severity” given it’s still easy to exploit despite the need for local device access. 

Recommended Videos

As for the actual problem, it provides hackers with administrator privileges on the target PC. That essentially means they can do anything on the device: Install programs, delete files, and so on. Getting administrator privileges through the vulnerability starts with the way a “hard-linked” file receives a security descriptor and is moved to a new destination. Once in the new folder, Windows 10 changes the file’s security descriptor to match the security settings of the current folder. 

That said, if the hard-linked file was originally set to read-only, the flaw allows anyone on the network to edit that file after it’s moved to the new directory. That is a simplified explanation and is apparently only a problem on Windows 10. The Project Zero team successfully exploited the security flaw on Windows 10 version 1709. 

The issue is one of two reported by the Project Zero team. The first problem, Issue 1427, received a fix on February 13, whereas the issue listed in the public report published on Tuesday, February 20, (1428) was not. The Proof of Concept consists of software compiled in C++ executing as a normal user to create a file in the Windows folder using the “SvcMoveFileInheritSecurity” method. 

The issue Microsoft did fix is listed as CVE-2018-0826. According to the filing, Windows Storage Services “allows an elevation of privilege vulnerability due to the way objects are handled in memory.” It applies to Windows 10 versions 1511, 1607, 1703, and 1709 along with Windows Server 2016 and Windows Server version 1709. 

Google’s Project Zero team disclosed another vulnerability earlier this week that Microsoft has yet to fix. Originally disclosed to the company in November, the bug resides in Microsoft Edge and centers on a compiler for JavaScript. Hackers can compromise the browser by predicting the path of the compiling process. Unfortunately, Microsoft couldn’t provide a fix before the 90-day deadline. 

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues,” the Microsoft Security Research Center stated. “The team is positive that this will be ready to ship on March 13th.” 

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Apple’s Hide My Email feature has an unfixed bug that leaves email addresses exposed
100% exploitable in limited testing, known since June 2025, and still unfixed as of today.
apple-merging-sign-in-with-apple-hide-my-email-icloud+

Apple has been selling Hide My Email to keep your real email address hidden, but it has a vulnerability that does the exact opposite. The worst part is that the company has known about it for a year. 

Hide My Email, part of Apple’s paid iCloud+ subscription, lets users generate anonymous email addresses for signing up to a website, so that their personal or work email remains free of promotional emails and spam. 

Read more
I hate sharing my Mac, but a face-unlocking app finally cured my privacy paranoia
Someone finally built the app locker every Mac user has been asking for.
FaceGate in action on Mac

If you have ever handed your Mac to a friend, family member, or coworker for "just a minute," you know the mild panic that follows. Sure, your Mac has a lock screen, but once someone is past it, they can open Messages, Photos, Notes, Mail, WhatsApp, and your browser.

iPhones had the same issue, but Apple solved it by adding an app lock feature with the iOS 18 update. Sadly, no such feature exists for macOS. That’s where the new FaceGate app for Mac can help you. It’s a free and open-source app that lets you lock apps on your Mac and even has some novel tricks up its sleeve. So, let’s talk about it, shall we?

Read more
The charm of a tiny Windows tablet is apparently dead at Microsoft. Long live the Surface Go!
Microsoft’s budget Surface era may be over
Microsoft Surface Go 3 stand.

Microsoft might be cleaning up its Surface lineup. According to Windows Central, Microsoft has stopped manufacturing the Surface Go and Surface Laptop Go lines, with no successors currently planned. Surface Go 4 and Surface Laptop Go 3 are reportedly out of stock in most places, and once remaining retail stock is gone, that may be it.

If this is true, then we are looking at the end of the brand's budget Surface PCs as Microsoft has plenty of premium Windows hardware.

Read more