Security Vulnerability Detected by Google in Microsoft Edge

Google in Microsoft Edge

Google has now detected a new vulnerability in Microsoft Edge, the Windows 10 default web browser; this detection has been made as part of Google’s Project Zero program.

On MSFT, which claims to be one of the original Microsoft-centered communities, has published a blog on this issue. The blog post, which is titled ‘Google’s Project Zero exposes new Microsoft Edge security flaw’, says- “Google’s Project Zero, a team of security researchers tasked with finding vulnerabilities in Google’s own software and that of third-parties, has exposed a new security flaw in Microsoft Edge (via Neowin), the default web browser in Windows 10.”

This flaw has been exposed by the Project Zero team of researchers after Microsoft failed to resolve the issue even after Google offered the company the 90-day SLA and an additional 14-day grace period, to fix the bug. The security flaw would allow a hacker to compromise a Windows 10 host bypassing ACG ( Arbitrary Code Guard), a security feature that’s implemented in Microsoft Edge.

Windows Latest, which discusses things that pertain to Microsoft and presents reviews of all new Microsoft/Windows devices, discusses the issue in a blog post that says- “Google security researcher Ivan Fratric says the security flaw exists in Microsoft Edge, which would allow the attacker to compromise a Windows 10 host by bypassing Arbitrary Code Guard. Arbitrary Code Guard (ACG) is a security feature implemented in Microsoft Edge with Windows 10 Creators Update as an attempt to improve the security of the browser, this technology is designed to block JavaScript exploits that attempt to load malicious native code into memory.”

The Windows Latest post points out that the attackers can execute attacks exploiting this vulnerability only when users visit compromised websites. The post says- “It’s worth noting that the process to outsmart Microsoft’s technology is not as easy as it appears since the users are exposed only when they visit a compromised page, in other words, attackers can do this with malicious websites only.”

The Project Zero research team had notified Microsoft about this vulnerability, which was marked as “medium” in severity, in November 2017. The software giant missed the deadline (the usual 90-day period plus an extra 14-day extension that was granted) to fix the issue since it needs more time to do it. Microsoft, however, would roll out new cumulative updates for Windows 10 in March, aiming to fix this bug. It’s estimated that the patch for this vulnerability would be ready by March 13.

It’s to be noted that though Microsoft Edge would continue to be vulnerable till the bug is fixed, users can stay protected by avoiding unknown websites while using the browser.

Kevin Jones434 Posts

Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others. He holds prestigious certifications like OSWP, OSCP, ITIL. His goals in life are simple - to finish her maiden business venture on Cybersecurity, and then to keep writing books for as long as possibly can and never miss a flight that makes the news.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register