Edge browser suffers security flaw which Microsoft failed to fix on time
Google has found a vulnerability in Windows 10’s Edge browser, and the bad news is that this security bug has been disclosed to all and sundry before Microsoft could patch it.
The vulnerability can be used to sidestep Microsoft’s Arbitrary Code Guard (ACG) protection, leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.
It’s classified as a “medium” severity flaw, so while not up there with the critical bugs, it’s definitely a hole which needs to be patched—and as noted, that hasn’t happened.
Google gave Microsoft the standard 90 days to fix the problem, and then an additional two weeks’ worth of time when the issue was found to be a more troublesome gremlin to remedy than first thought.
Unfortunately, even that fortnight extension wasn’t enough, so the vulnerability is now public knowledge and unpatched.
As Neowin reports, Microsoft is apparently confident that it will have the fix in line for the next big patch day on March 13. Of course, that’s still just over three weeks away.
And this delay really doesn’t look good for Microsoft, considering that the firm has had something of an uphill battle on the security front with Edge, the software giant has often talked-up the browser in terms of security, when the reality of this has sometimes fallen short, as we saw when Edge was found to be the least secure browser at Pwn2Own (a computer hacking contest held annually at the CanSecWest security conference) last year.
This certainly looks like a security slip, and won’t help Microsoft’s overall image in that respect. All that said, it’s clear that socks are being pulled up on the Edge team—for example, where phishing is concerned, Edge was rated the top browser in defending against that particular online evil in one report last October.