Google Publishes Unpatched Flaw In Microsoft Edge Browser

Google has gone public with details of an unpatched flaw in Microsoft’s Edge web browser that could allow hackers to execute malicious Javascript code on Windows computers.

The information was published by Google’s Project Zero, which tracks down flaws in other companies’ products, giving them a 90-day window to publish fixes.

In this case, Microsoft told Google it wouldn’t be able to release a fix in time for its regularly scheduled February patch day, which fell on Tuesday of last week. Instead, it’s planning a patch for next month’s patch date, which falls on 13 March.

But even that date may slip, Microsoft has now acknowledged.

‘No date’ for a fix

“Because of the complexity of the fix, they do not yet have a fixed date set as of yet,” said Google researcher Ivan Fratric in a Monday update to the Project Zero advisory.

The controversial Project Zero programme has now automatically published detailed technical information on the flaw, leaving it exposed to exploitation by hackers.

The bug allows an attacker to bypass an Edge security feature called Arbitrary Code Guard (ACG), introduced in April of last year with the Windows 10 Creators Update.

The feature aims to prevent attackers from running JavaScript in Edge to load malicious code into a computer’s memory. It works along with another feature called Code Integrity Guard (CIG), introduced at the same time, which requires code signing for drivers run by Edge.

Fratric said he notified Microsoft of the issue in mid-November. Microsoft informed him shortly before the end of the 90-day publication window last week that it wouldn’t be able to meet the deadline.

Google ranked the bug as “medium” severity.

Javascript is routinely used in malicious attachments to download attack code from remote servers. In January of last year Google said it would begin blocking the code from use in Gmail attachments due to the risk.

Do you know all about security? Try our quiz!