Tuesday, February 25, 2025
Follow us On Linkedin
HomeCVE/vulnerabilityGoogle Disclosed a Microsoft Edge Zero-day Bug Before Patch is Released -...

Google Disclosed a Microsoft Edge Zero-day Bug Before Patch is Released – 90-day Deadline Crossed

CVE/vulnerabilitySecurity News

Published on

By Balaji
Google Disclosed a Microsoft Edge Zero-day Bug Before Patch is Released – 90-day Deadline Crossed

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Google Revealed a Microsoft Edge Zero-day Bug in public since Microsoft misses the 90-day deadline as well as an additional 14-day grace period.

Google built a full-time dedicated Security team, known as Project Zero, that aims to prevent targeted attacks by reporting bugs to software vendors and filing them in an external database.

A disclosed bug was discovered back in November 2017 by Zero-day team that will lead to allowing code injection and execution in Microsoft Edge Browser.

Microsoft still processing the bug and conforming to Google that no time frame for this bug to release, The Project-Zero team went public with the full technical details of the Edge bug.

Microsoft Edge Zero-day Bug Revealed in Public

Ivan Fratric, a security engineer with Google’s Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory.

This could, in theory at least, give attackers a way into Windows boxes via malicious websites loaded via Edge by leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.

After this disclose went on public Microsoft replied that, ‘The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however, this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays’.” 

Since Google always following Aggressive disclosure policies makes software vendors to strictly focus on their security bugs and keep them working and fix it as soon as possible.

Last week Microsoft Released security Patch Tuesday updates for all security fixes that affect Windows 10 and some non-security fixes also released.

There are 50 critical security fixes are reported in this  February patches for Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows, and Microsoft Office.

But due to the complexity of the bug, Microsoft didn’t release a patch with February security updates.

In this case, The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th Tuesday security updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

cyber security

GitVenom Campaign Abuses Thousands of GitHub Repositories to Infect Users

The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread...
cyber security

UAC-0212: Hackers Unleash Devastating Cyber Attack on Critical Infrastructure

In a recent escalation of cyber threats, hackers have launched a targeted campaign, identified...
Chrome

Widespread Chrome Malware: 16 Extensions Infect Over 3.2 Million Users

A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that...
cyber security

Sliver C2 Server Vulnerability Enables TCP Hijacking for Traffic Interception

A significant vulnerability has been discovered in the Sliver C2 server, a popular open-source...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

CVE/vulnerability

Smart Bed Security Flaw Lets Hackers Access Other Network Devices

A security researcher has uncovered critical vulnerabilities in Eight Sleep’s internet-connected smart beds, revealing...
CVE/vulnerability

Parallels Desktop 0-Day Exploit Enables Root Privileges – PoC Released

A critical zero-day vulnerability in Parallels Desktop virtualization software has been publicly disclosed after...
CVE/vulnerability

Exim Mail Transfer Vulnerability Allows Attackers to Inject Malicious SQL

A newly disclosed vulnerability in the Exim mail transfer agent (CVE-2025-26794) has sent shockwaves...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved