News 2 min read

Google discloses security flaw in Edge that Microsoft was late to fix

5 minutes Windows 10 Google gave Microsoft 90 days to fix security flaw; Microsoft failed Google disclosed security flaw in microsoft edge Security researchers at Google’s Project Zero publicly reported about a huge security flaw in Microsoft Edge which allows loading a malicious code into memory. However, Microsoft was notified about the security bug and […]

Google disclosed security flaw in microsoft edge
0 Comments
5 minutes Windows 10

Google gave Microsoft 90 days to fix security flaw; Microsoft failed

Google disclosed security flaw in microsoft edge
Google disclosed security flaw in microsoft edge

Security researchers at Google’s Project Zero publicly reported about a huge security flaw in Microsoft Edge which allows loading a malicious code into memory. However, Microsoft was notified about the security bug and given 90 days to fix it until it is disclosed publicly. Apparently, Microsoft failed to meet the deadline.

Google researchers reported about a security flaw in Microsoft Edge browser Arbitrary Code Guard (ACG) feature in November 2017. Microsoft asked for the extended deadline, and Google gave an extra 14 days to fix the bug and provide it in February’s Patch Tuesday.

However, this month’s patches from Microsoft did not have a fix for this vulnerability. The company says that “the fix is more complex than initially anticipated.” The fix is expected to be released on upcoming Patch Tuesday on the 13th of March. However, it’s not confirmed.

Microsoft Edge vulnerability is reported on Chromium blog

Microsoft Edge users should no longer feel safe and sound. Google released the information about the bug and how it operates. Therefore, anyone who is looking for a flaw to exploit in order to launch cyber attack can now take advantage of it.

Google researcher Ivan Fratric found a vulnerability in Microsoft's Arbitrary Code Guard (ACG) which was rated as “medium.” The flaw affects Just In Time (JIT) compiler for JavaScript and allows attackers to load a malicious code. The problem is described in Chromium blog:

If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:

1. Unmap the shared memory mapped above above using UnmapViewOfFile()
2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ. 

It’s not the first time when Google publicly discloses flaws in Microsoft products

In 2016, Google researchers discovered a flaw in Windows 10. The situation was similar. Microsoft was informed about the vulnerability that allowed attackers to install a backdoor on Windows computer.

However, Google did not remain silent for a long. They took only 10 days to disclose about “critical” vulnerability. Back then Google had deployed a fix for Google Chrome users. However, Windows OS itself remain vulnerable.

After the news about critical vulnerability emerged two years ago, Microsoft spokesperson told that “disclosure by Google puts customers at potential risk.”

Last year Google reported about “crazy bad” vulnerability in Windows 10 that allowed remote code execution. However, Microsoft managed to fix the problem with the latest Patch Tuesday updates. Though, it seems that it’s possible to solve security problems in time.

Did this fix work for you?
Viktoras Jasinskas

Written by

Network & Infrastructure Expert
Network diagnostics VPN troubleshooting DNS configuration Wi-Fi connectivity Proxy and firewall issues

Viktoras Jasinskas is a network and infrastructure expert covering connectivity issues for Windows home and business users. With a background in IT infrastructure, he approaches network problems methodically — isolating whether a fault lies in the OS network stack, driver layer, router configuration, or ISP. His guides address DNS failures, VPN connectivity problems, Wi-Fi drops, IP conflicts, proxy misconfigurations, and firewall rules that block legitimate traffic. Viktoras also contributes to the uGetFix news section, covering security vulnerabilities and network-related threat advisories.

0 Comments

Be the first to comment

Still worried? Run a free check.

Paste any URL or domain — we'll scan it against 4.2M known threats in 10 seconds.

View full scanner → Add to your website →