Skip to main content

Microsoft misses another Edge-related 90-day security disclosure deadline

Google’s Project Zero team released a report identifying another security flaw in Microsoft Edge. The team traditionally provides 90 days for developers to fix the uncovered issue(s) and exposes said issue(s) if they are not resolved within that timeframe. That means Microsoft didn’t respond to the team’s initial bug report, thus Project Zero is now coming forward with its findings. 

But Microsoft isn’t simply ignoring the report. The company deems the issue as “important” rather than “critical” because hackers can’t remotely take advantage of the Microsoft Edge security hole. Instead, they must execute code locally on the target PC using a normal privilege level. But the researcher who discovered the vulnerability deems it as “high severity” given it’s still easy to exploit despite the need for local device access. 

Recommended Videos

As for the actual problem, it provides hackers with administrator privileges on the target PC. That essentially means they can do anything on the device: Install programs, delete files, and so on. Getting administrator privileges through the vulnerability starts with the way a “hard-linked” file receives a security descriptor and is moved to a new destination. Once in the new folder, Windows 10 changes the file’s security descriptor to match the security settings of the current folder. 

That said, if the hard-linked file was originally set to read-only, the flaw allows anyone on the network to edit that file after it’s moved to the new directory. That is a simplified explanation and is apparently only a problem on Windows 10. The Project Zero team successfully exploited the security flaw on Windows 10 version 1709. 

The issue is one of two reported by the Project Zero team. The first problem, Issue 1427, received a fix on February 13, whereas the issue listed in the public report published on Tuesday, February 20, (1428) was not. The Proof of Concept consists of software compiled in C++ executing as a normal user to create a file in the Windows folder using the “SvcMoveFileInheritSecurity” method. 

The issue Microsoft did fix is listed as CVE-2018-0826. According to the filing, Windows Storage Services “allows an elevation of privilege vulnerability due to the way objects are handled in memory.” It applies to Windows 10 versions 1511, 1607, 1703, and 1709 along with Windows Server 2016 and Windows Server version 1709. 

Google’s Project Zero team disclosed another vulnerability earlier this week that Microsoft has yet to fix. Originally disclosed to the company in November, the bug resides in Microsoft Edge and centers on a compiler for JavaScript. Hackers can compromise the browser by predicting the path of the compiling process. Unfortunately, Microsoft couldn’t provide a fix before the 90-day deadline. 

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues,” the Microsoft Security Research Center stated. “The team is positive that this will be ready to ship on March 13th.” 

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
My quest to fully remove Microsoft Edge is finally complete
Microsoft Defender and Edge Security settings are open on a PC monitor.

I'm on a mission to eradicate Microsoft Edge from my PC.

It's not a slight against Microsoft -- I just don't particularly care for the Edge browser compared to some of the other best browsers out there. But Edge is different because Microsoft has tried -- and mostly failed -- to court its massive Windows user base, with some unsavory tactics, including making it nearly impossible to set a different default browser to massive, screen-overtaking popups when searching for the Chrome installer.

Read more
What is Microsoft Edge and how to use it
Microsoft Edge on a laptop on a couch.

If you just purchased a new Windows computer and see Microsoft Edge is installed, you might be wondering if it’s worth your time.

Is Microsoft Edge a secure web browser that keeps you safe when you’re online? Can you customize it like other popular browsers? What happened to Internet Explorer?

Read more
I finally switched to Microsoft Edge for this one feature
The Microsoft Edge browser on a flat surface.

Microsoft Edge has gotten increasingly better over the years, but I've stuck with Google Chrome -- perhaps by habit, if nothing else. After all, a web browser is the kind of application I don't want to think about. That's why the flashier features of recent updates to Chrome, Edge, or even Arc haven't swayed me. I don't use Copilot, Collections, or even tab groups. That left me defaulted to Chrome.

I'm now using Microsoft Edge, though -- and it's not because of the most common complaints about Chrome, such as its well-documented memory usage. No, no. My reason for deciding to leave Chrome for Edge is based on a feature that was actually launched way back in 2022. For the longest time, I ignored the Edge sidebar -- after all, the less clutter in my web browser, the better.
You should try Microsoft Edge with Teams
But then I tried it. In particular, I pulled it up with Microsoft Teams. We've been using Teams as an organization for many years at this point after switching from Slack, and the benefit of which has always been its integration into the broader Microsoft 365 ecosystem. We use SharePoint, and despite my continued inclination to use Google Docs and Sheets, having all your collaboration tools in one place is certainly handy.

Read more