Google discloses massive Microsoft Edge security hole

Share on facebook
Share on twitter
Share on linkedin
Share on email

The relationship between Microsoft and Google cannot be described as friendly especially given the events of recent days.

Back in November the Project Zero team at Google which is tasked with finding zero day security bugs stumbled across an issue with Edge.

The flaw affects Edge’s just-in-time compiler which could allow an attacker to see how much memory a the compiler will be using and rewrite that so that a payload can be delivered to the target.

It’s a pretty bad bug and Microsoft was given 90 days to address the issue and push out a fix as well as an additional 14 days at a later stage according to The Register.

Sadly Microsoft was not able to issue a patch in that time so Google has decided to make the details of the vulnerability public.

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays,” Microsoft reportedly told Google.

The Redmond giant told the Project Zero team yesterday that because of the complexity of the fix it doesn’t have a fixed date as of yet which is even more concerning given the patch is public for any miscreant to gawk at.

Google has done this sort of thing before in 2017 when it disclosed an unrelated vulnerability.

[Image – CC BY 2.0 Tyler Merbler]

Brendyn Lotz

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.