Google exposes an Edge bug Microsoft still hasn't patched

By Chris Davies/Feb. 19, 2018 10:22 am EST

Google security researchers have revealed a security flaw in Microsoft Edge, making the issue public before a fix for the browser has been released. The problem in the Windows 10 browser was identified by Google's Project Zero team, a group of researchers and analysts that, since mid-2014, has been tasked with digging out flaws and zero-day vulnerabilities in code both inside and outside of the company.

Sure enough, back on November 17, 2017, the Project Zero team spotted a potential issue in Edge, its Windows 10 browser. That problem was based on Microsoft's implementation of an Arbitrary Code Guard, or ACG, in the browser, using a separate process for the JIT, or Just In Time, compiling.

As part of that, the Google researchers figured out, they could use compromised content to predict where the JIT process was going to be called in shared memory. By knowing that, they could drop an executable payload there, waiting for the JIT to call upon it. That could be used to create an executable page with content a third-party controls, bypassing Microsoft's ACG in the process.

Unsurprisingly that's not something you want going on in a browser, and the Project Zero team informed Microsoft of the potential exploit. It also operates on a 90 day disclosure deadline. "After 90 days elapse or a patch has been made broadly available," Google's security team points out, "the bug report will become visible to the public."

That 90 day period expired on February 15. At the time, Microsoft told the Project Zero team that while it had hoped to have a fix for the Edge exploit ready, it proved trickier than expected to address.

"The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues," Microsoft said in its statement. "The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays."

It's worth noting that there are no reported cases of the exploit actually being exploited in the wild at present. Still, getting it patched up is turning out to be a more lengthy process than anybody involved could've guessed. According to an update by Google earlier today, Microsoft is now saying that "because of the complexity of the fix, they do not yet have a fixed date set as of yet."