Skip to main content

Google found another critical security flaw in Microsoft Edge

Google’s Project Zero disclosed a software vulnerability in Microsoft’s Edge browser over the weekend. The flaw was first reported privately but after Microsoft failed to patch the issue in time, Google’s Project Zero team revealed the technical details of the vulnerability along with Microsoft’s response.

Let’s be clear though, this security vulnerability isn’t the kind of thing you need to run out and uninstall Edge over. Chances are you’re using a different browser anyway, but until it’s fixed maybe stick to Chrome or Firefox. The vulnerability itself establishes a workaround for one of Edge’s built-in security countermeasures, Arbitrary Code Guard (ACG). Sidestepping ACG, Google security researcher Ivan Fratric found a way to load unsigned code into memory from malicious website accessed via Microsoft Edge.

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team is positive that this will be ready to ship on March 13th,” Microsoft replied to Fratric’s disclosure.

However, Microsoft added, the complexity of the fix has made it difficult to nail down a fixed date for release. Microsoft is reportedly aiming for a mid-March release for the patch, but it’s unclear if the company will make that self-imposed deadline.

We’re only hearing about this now because of Google Project Zero’s security vulnerability policy. When Project Zero discovers a vulnerability, the team reaches out privately to the manufacturer of the product — in this case, Microsoft — giving the manufacturer 90 days to get a fix together before they disclose the vulnerability to the public. This particular disclosure is unlikely to make anyone in Microsoft’s Redmond, Washington, headquarters particularly happy.

As Engadget points out, it’s not the first time Google’s exploit-finding-team has rubbed Microsoft the wrong way. Google and Microsoft have all but come to blows over these disclosures in the past, with each company taking pains to poke holes in the other’s products in order to promote their own. That doesn’t appear to be the case here but it is unlikely anyone at Microsoft is going to look favorably upon this security vulnerability being thrust into the spotlight.

Editors' Recommendations

Jayce Wagner
Former Digital Trends Contributor
A staff writer for the Computing section, Jayce covers a little bit of everything -- hardware, gaming, and occasionally VR.
This Google Chrome feature may save you from malware
Google Chrome app on s8 screen.

There are probably hundreds of thousands of Google Chrome extensions out there, and with so many options to choose from, it can be hard to know whether the plugin you want to install is hiding malware nasties.

That could become a thing of the past, though, as Google is testing a feature that will warn you if an extension you installed has been removed from its Chrome Web Store.

Read more
Chrome has a security problem — here’s how Google is fixing it
Google Chrome icon in mac dock.

Google is looking to get ahead of high-severity vulnerabilities on its Chrome browser by shortening the time between security updates.

The brand hopes that more frequent updates will give bad actors less time to access and exploit n-day and zero-day flaws found within Chrome browser code.

Read more
This PowerPoint ploy could help hackers empty your bank account
A hacker typing on an Apple MacBook laptop, which shows code on its screen.

 

With various cybersecurity threats on a constant rise, it certainly feels like dangerous malware is around every corner. This time, it found its way into PowerPoint presentations disguised as helpful guides on how to protect yourself against phishing. The irony of it all is strong, but the worst part is that this malware could help attackers empty your bank account.

Read more