LONDON: Google seems to be gunning for Microsoft again by going public with a vulnerability in Microsoft Edge before Microsoft could develop a patch.
The flaw affects Microsoft’s Arbitrary Code Guard (ACG) which Microsoft described a year ago in a post about major security improvements released in the Creators Update of Windows 10. To mitigate arbitrary native code execution in Edge, the Creators Update would use “Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to help break the most universal primitive found in modern web browser exploits: loading malicious code into memory.”
According to comments posted on the disclosure, The Microsoft Security Response Center replied, “The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.” MSRC was confident, worded as “positive,” that the patch would be ready by March 13th.
Google Project Zero pointed out that the date exceeded “the 90-day SLA and 14-day grace period to align with Update Tuesdays.” Therefore, Google disclosed the flaw.
But the fix may not roll out on March 2018 Patch Tuesday. Fratric noted that Microsoft wanted to clarify “because of the complexity of the fix, they do not yet have a fixed date set as of yet.”
So now the details are in the public domain and cyber thugs can get to work on exploiting it. On the bright side, how many people actually use Edge? NetMarketShare reported that Edge had a browser market share of 4.67 percent in January. Yet for the people that do use Edge, short of changing browsers, they will have to wait on Microsoft to roll out the patch.