Google exposes another zero-day security flaw in Edge as Microsoft miss the fix deadline

Browser security is hard, and it seems sometimes it is easier to break something than to fix it.

Microsoft nemesis Google Project Zero has once again made a flaw in Microsoft’s Edge browser public before the company could push out a fix.

The issue is related to Microsoft’s Just In Time compiler for Javascript, which is by design not protected by Arbitrary Code Guard (ACG) in Microsoft Edge.  It turns out that if a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next, the content process can:

Google gives the exploit a Medium rating and notified Microsoft in November 2017. Microsoft has, however, had difficulty fixing the issue, missing both the 90-day disclosure deadline and an additional 14-day grace window the company asked for.

Microsoft, however, hopes to have a fix available by Patch Tuesday next month, but I suspect Edge users have little to worry about, given its current small market share, which means, unlike Google’s Project Zero, most hackers will be looking elsewhere.

Read all the detail on Google’s blog here.


Swipe to read more stories and follow us on Twitter or like us on Facebook Open Comments More Articles from MSPU
Go back to top