Skip to main content

Microsoft misses another Edge-related 90-day security disclosure deadline

Google’s Project Zero team released a report identifying another security flaw in Microsoft Edge. The team traditionally provides 90 days for developers to fix the uncovered issue(s) and exposes said issue(s) if they are not resolved within that timeframe. That means Microsoft didn’t respond to the team’s initial bug report, thus Project Zero is now coming forward with its findings. 

But Microsoft isn’t simply ignoring the report. The company deems the issue as “important” rather than “critical” because hackers can’t remotely take advantage of the Microsoft Edge security hole. Instead, they must execute code locally on the target PC using a normal privilege level. But the researcher who discovered the vulnerability deems it as “high severity” given it’s still easy to exploit despite the need for local device access. 

As for the actual problem, it provides hackers with administrator privileges on the target PC. That essentially means they can do anything on the device: Install programs, delete files, and so on. Getting administrator privileges through the vulnerability starts with the way a “hard-linked” file receives a security descriptor and is moved to a new destination. Once in the new folder, Windows 10 changes the file’s security descriptor to match the security settings of the current folder. 

That said, if the hard-linked file was originally set to read-only, the flaw allows anyone on the network to edit that file after it’s moved to the new directory. That is a simplified explanation and is apparently only a problem on Windows 10. The Project Zero team successfully exploited the security flaw on Windows 10 version 1709. 

The issue is one of two reported by the Project Zero team. The first problem, Issue 1427, received a fix on February 13, whereas the issue listed in the public report published on Tuesday, February 20, (1428) was not. The Proof of Concept consists of software compiled in C++ executing as a normal user to create a file in the Windows folder using the “SvcMoveFileInheritSecurity” method. 

The issue Microsoft did fix is listed as CVE-2018-0826. According to the filing, Windows Storage Services “allows an elevation of privilege vulnerability due to the way objects are handled in memory.” It applies to Windows 10 versions 1511, 1607, 1703, and 1709 along with Windows Server 2016 and Windows Server version 1709. 

Google’s Project Zero team disclosed another vulnerability earlier this week that Microsoft has yet to fix. Originally disclosed to the company in November, the bug resides in Microsoft Edge and centers on a compiler for JavaScript. Hackers can compromise the browser by predicting the path of the compiling process. Unfortunately, Microsoft couldn’t provide a fix before the 90-day deadline. 

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues,” the Microsoft Security Research Center stated. “The team is positive that this will be ready to ship on March 13th.” 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Microsoft Edge gets hit with the same serious security bug that plagued Chrome
The Microsoft Edge browser is open on a Surface Book 2 in tablet mode.

Microsoft just released an Edge browser update that patches a dangerous flaw that could allow a cleverly designed attack to execute arbitrary code. While every security update should be installed promptly, this one is a bit more urgent because the attack is "in the wild" already, meaning that hackers are already taking advantage of this vulnerability to breach security.

Designated CVE-2022-2294, this vulnerability was actually a flaw with the Chromium project, the open-source code that Google's Chrome browser is built upon. Microsoft uses the same base code for the Edge browser, meaning bugs that affect one often plague the other. Google patched the same bug recently and has been keeping quiet about details of the attack to allow others to make similar fixes, since Chromium is quite a popular codebase.

Read more
You might be able to edit photos directly in Microsoft Edge soon
microsoft edge gets startup boost feature take on chrome new

The Microsoft Edge browser might one day allow users to edit photos directly from the right-click option online.

Currently, the feature is an A/B testing option that can be downloaded for the latest Microsoft Edge Canary update once it becomes available. Redditor Leopeva64-2 shared their experience with the feature on the website, showing how it opens a built-in editor in the browser, allowing you to edit images before saving them to your computer.

Read more
Microsoft just turned the Edge browser into a gaming powerhouse
ms edge gaming more game pass membership 0f880cdda61bf113972b

Microsoft just turned its Edge browser into a gaming powerhouse with a suite of new features, including a gaming home feed, crisper graphics for cloud gaming, and a buffet of casual online games.

The update to Edge began rolling out to Windows 10 and Windows 11 devices this morning, and certainly makes it stand out among the tight competition for the best web browsers.

Read more