Security Vulnerability Detected by Google in Microsoft Edge

Google has now detected a new vulnerability in Microsoft Edge, the Windows 10 default web browser; this detection has been made as part of Google’s Project Zero program.

On MSFT, which claims to be one of the original Microsoft-centered communities, has published a blog on this issue. The blog post, which is titled ‘Google’s Project Zero exposes new Microsoft Edge security flaw’, says- “Google’s Project Zero, a team of security researchers tasked with finding vulnerabilities in Google’s own software and that of third-parties, has exposed a new security flaw in Microsoft Edge (via Neowin), the default web browser in Windows 10.”

This flaw has been exposed by the Project Zero team of researchers after Microsoft failed to resolve the issue even after Google offered the company the 90-day SLA and an additional 14-day grace period, to fix the bug. The security flaw would allow a hacker to compromise a Windows 10 host bypassing ACG ( Arbitrary Code Guard), a security feature that’s implemented in Microsoft Edge.

Windows Latest, which discusses things that pertain to Microsoft and presents reviews of all new Microsoft/Windows devices, discusses the issue in a blog post that says- “Google security researcher Ivan Fratric says the security flaw exists in Microsoft Edge, which would allow the attacker to compromise a Windows 10 host by bypassing Arbitrary Code Guard. Arbitrary Code Guard (ACG) is a security feature implemented in Microsoft Edge with Windows 10 Creators Update as an attempt to improve the security of the browser, this technology is designed to block JavaScript exploits that attempt to load malicious native code into memory.”

The Windows Latest post points out that the attackers can execute attacks exploiting this vulnerability only when users visit compromised websites. The post says- “It’s worth noting that the process to outsmart Microsoft’s technology is not as easy as it appears since the users are exposed only when they visit a compromised page, in other words, attackers can do this with malicious websites only.”

The Project Zero research team had notified Microsoft about this vulnerability, which was marked as “medium” in severity, in November 2017. The software giant missed the deadline (the usual 90-day period plus an extra 14-day extension that was granted) to fix the issue since it needs more time to do it. Microsoft, however, would roll out new cumulative updates for Windows 10 in March, aiming to fix this bug. It’s estimated that the patch for this vulnerability would be ready by March 13.

It’s to be noted that though Microsoft Edge would continue to be vulnerable till the bug is fixed, users can stay protected by avoiding unknown websites while using the browser.