Saturday, 19 January, 2019

Google's Project Zero discloses a vulnerability in Microsoft Edge

Google-found-another-critical-bug-in-microsoft-edge Google's Project Zero discloses a vulnerability in Microsoft Edge
Theresa Hayes | 20 February, 2018, 21:06

In a response to Google's disclosure, Microsoft announced plans to release a patch by mid-March. The bug was originally shared with Microsoft on 17 November of previous year, but the company was unable to find a solution in that timeframe.

Google's policy gives companies 90 days after its discovery to fix any security flaw before announcing its findings. Microsoft informed Google that "the fix is more complex than initially anticipated", and the Google engineer who reported the bug said there is no fixed date as of yet for a patch due to the complex nature of the problem.

PS. We were wondering if turning off Edge's Just-In Time compiler would prevent this bug from being exploitable - because the sequence of operations on which it depends would then never arise. Both companies have a history of revealing security flaws in each others' products, and this time, it was Google that public revealed a security flaw in the Microsoft Edge browser.

Google originally shared details of the flaw with Microsoft on 17 November 2017, but Microsoft wasn't able to come up with a patch within Google's non-negotiable "you have 90 days to do this" period. Researcher Ivan Fratric was able to load unsigned code into memory from a malicious website accessed via Edge.

Microsoft therefore elected to separate Edge's own "shove new code into memory and run it" JIT feature from the rest of the browser by running the JIT compiler in a separate process.

Google's moves here will likely further cause some problems between the two companies, as Microsoft hasn't been happy in the past with Google's aggressive disclosure policies. It remains to be seen if it will make this touted deadline. However, given Edge's small market share, the security issue was unlikely to affect too many people though it is still embarrassing for the company. "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure". Last October, Microsoft discovered a vulnerability in Chrome and opined that Google's methods of disclosure were, in its view, irresponsible. At this point, it is still unclear when Microsoft will have a patch ready to resolve the issue discovered by Project Zero.