Tuesday, December 3, 2024
HomeCVE/vulnerabilityGoogle Disclosed a Microsoft Edge Zero-day Bug Before Patch is Released -...

Google Disclosed a Microsoft Edge Zero-day Bug Before Patch is Released – 90-day Deadline Crossed

Published on

SIEM as a Service

Google Revealed a Microsoft Edge Zero-day Bug in public since Microsoft misses the 90-day deadline as well as an additional 14-day grace period.

Google built a full-time dedicated Security team, known as Project Zero, that aims to prevent targeted attacks by reporting bugs to software vendors and filing them in an external database.

A disclosed bug was discovered back in November 2017 by Zero-day team that will lead to allowing code injection and execution in Microsoft Edge Browser.

- Advertisement - SIEM as a Service

Microsoft still processing the bug and conforming to Google that no time frame for this bug to release, The Project-Zero team went public with the full technical details of the Edge bug.

Microsoft Edge Zero-day Bug Revealed in Public

Ivan Fratric, a security engineer with Google’s Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory.

This could, in theory at least, give attackers a way into Windows boxes via malicious websites loaded via Edge by leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.

After this disclose went on public Microsoft replied that, ‘The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however, this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays’.” 

Since Google always following Aggressive disclosure policies makes software vendors to strictly focus on their security bugs and keep them working and fix it as soon as possible.

Last week Microsoft Released security Patch Tuesday updates for all security fixes that affect Windows 10 and some non-security fixes also released.

There are 50 critical security fixes are reported in this  February patches for Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows, and Microsoft Office.

But due to the complexity of the bug, Microsoft didn’t release a patch with February security updates.

In this case, The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th Tuesday security updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

HPE IceWall Flaw Let Attackers cause Unauthorized Data Modification

Hewlett Packard Enterprise (HPE) has issued an urgent security bulletin addressing a critical vulnerability...