Google discloses Microsoft security flaw before fix is released

Microsoft Edge

Microsoft Edge

As a result, Google published details of the bug immediately, so Microsoft Edge users are now adrift without a patch for almost a month.

Details of the security bypass bug were originally shared with Microsoft on 17 November a year ago, but because Microsoft wasn't able to come up with a suitable patch within Google's non-negotiable 90-day fix period, the security researchers made it public. Although most modern web browsers rely on Just-in-Time (JIT) compilers, this created complications with ACG, which forced Microsoft to transition the JIT functionality of Chakra into a separate process that runs in an isolated sandbox, which according to the company, was a hard task to accomplish. Google disclosed a major Windows bug back in 2016 just 10 days after reporting it to Microsoft, and the company has revealed zero-day bugs in Windows in the past before patches are available.

Detailed here on Google's Project Zero bug-tracker, the flaw impacts the just-in-time compiler that Microsoft's Edge browser uses to execute JavaScript and makes it possible to predict the memory space it is about to use.

Exactly 90 days post-discovery, Google revealed Microsoft's excuse, quoting: "The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays", Microsoft reportedly told Google.

More news: Mega Man Legacy Collection 1 + 2 Coming to Switch This Summer
More news: India beat Proteas by 8 wickets
More news: Arsene Wenger ready to splash £45m on number one transfer target

But, Microsoft even missed the second deadline to produce the patch of the vulnerability. The way coding is now set up on Microsoft Edge allows hackers to bypass the security features of the program.

The flaw in Microsoft Edge is rated "medium" in terms of severity. As is the team's policy, companies generally have 90 days to fix flaws that it discovers before a public disclosure. However, given Edge's small market share, the security issue was unlikely to affect too many people though it is still embarrassing for the company.

The vulnerability was first discovered by Google's Project Zero in November 2017.

Recommended News

  • Tripura polls: 25L voters decide ruling CPI(M)'s fate

    Tripura polls: 25L voters decide ruling CPI(M)'s fate

    In the last polls, the Left Front won 50 seats, including 19 of the 20 reserved for tribals, while the Congress won 10. Also, 1,000 Tripura Congress workers returned to the party in December after defecting to Trinamool in 2016.
    South Korea's Ko leads Australian Open by two shots

    South Korea's Ko leads Australian Open by two shots

    Haglund, who was shaking with excitement after her round, won a auto thanks to her hole-in-one on the par-3 14th on Saturday. Asked about her goals for the week, Ko replied: "First one is make the cut, second one is enjoy".
    Israel, US successfully test Arrow-3 missile

    Israel, US successfully test Arrow-3 missile

    The Arrow 3 is created to intercept long-range missiles carrying nuclear warheads in space. Patel said that the tests in Alaska would be carried out this year.
  • Ko Jin-young Wins in Her LPGA Debut

    Ko Jin-young Wins in Her LPGA Debut

    New Zealand's former world No.1 Lydia Ko was eight shots off the lead after firing a one-under 71 to be three-under. Shin, who won the tournament in 2013, lost her chance to defend the title with a double bogey on par-4 eighth.
    FA Cup: Wigan revenge next step of Manchester City's quadruple chase

    FA Cup: Wigan revenge next step of Manchester City's quadruple chase

    However, in their last two games - against Southend United and Blackpool - they have shipped five. No-one can put enough plaudits on them at the minute because they haven't been successful.

    Winter Olympics: US women return to gold medal game

    Team USA celebrates Gigi Marvin's first-period goal during their semifinal game against Finland at the PyeongChang Olympics. The Team Finland trainer immediately rushed to her aid, with the 20-year-old laying on the floor in serious pain.
  • Windows Phone 7.0 and 8.0 Devices Will Not Receive Push Notifications

    Windows Phone 7.0 and 8.0 Devices Will Not Receive Push Notifications

    They started with killing support for Windows Phone 8.1 months ago and now they are banging the final nails to the coffin. MICROSOFT HAS WARNED remaining users of Windows Phone 7.5 and 8.0 that they'll no longer receive push notifications.
    Jivi Mobile Partners With Reliance Jio For 4G Smartphones At Rs 699!

    Jivi Mobile Partners With Reliance Jio For 4G Smartphones At Rs 699!

    On the camera front, the Energy E3 comes with 5-mp rear camera lens and 2-mp front camera lens. The vouchers can be redeemed for recharges of Reliance Jio's plans on MyJio app .
    Soon you can edit your screenshots through the Google application

    Soon you can edit your screenshots through the Google application

    It remains unknown when the final cut will be made public but the feature is ready to test drive for anyone wanting to do so. The sharing option will allow you to share it with other apps from within the Google app or from within a Chrome Custom Tab.
  • Starlink satellites will blanket Earth with superfast internet by 2020

    Starlink satellites will blanket Earth with superfast internet by 2020

    Just a little over a week after making history with the successful launch of Falcon Heavy , SpaceX is once again in the news. The rocket will carry the PAZ satellite for Hisdesat of Madrid, Spain and multiple smaller secondary payloads.
    WWE announces a second match for Raw

    WWE announces a second match for Raw

    The seven participants of the men's Elimination Chamber match will clash against each other in a gauntlet match. He is also now going under his real name, Fred Rosser.

    Much Warmer To Start The Work Week

    A few more inches of rain will be possible during this time, so flooding will continue to be a concern heading into next weekend. We will likely be in record breaking territory as highs climb close to 80 degrees under mostly sunny skies.

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.