Google Disclosed a Microsoft Edge Zero-day Bug Before Patch is Released – 90-day Deadline Crossed

Google Revealed a Microsoft Edge Zero-day Bug in public since Microsoft misses the 90-day deadline as well as an additional 14-day grace period.

Google built a full-time dedicated Security team, known as Project Zero, that aims to prevent targeted attacks by reporting bugs to software vendors and filing them in an external database.

A disclosed bug was discovered back in November 2017 by Zero-day team that will lead to allowing code injection and execution in Microsoft Edge Browser.

Microsoft still processing the bug and conforming to Google that no time frame for this bug to release, The Project-Zero team went public with the full technical details of the Edge bug.

Microsoft Edge Zero-day Bug Revealed in Public

Ivan Fratric, a security engineer with Google’s Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory.

This could, in theory at least, give attackers a way into Windows boxes via malicious websites loaded via Edge by leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.

After this disclose went on public Microsoft replied that, ‘The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however, this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays’.”

Since Google always following Aggressive disclosure policies makes software vendors to strictly focus on their security bugs and keep them working and fix it as soon as possible.

Last week Microsoft Released security Patch Tuesday updates for all security fixes that affect Windows 10 and some non-security fixes also released.

There are 50 critical security fixes are reported in this  February patches for Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows, and Microsoft Office.

But due to the complexity of the bug, Microsoft didn’t release a patch with February security updates.

In this case, The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th Tuesday security updates.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range of…

10 hours ago

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…

19 hours ago

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious…

20 hours ago

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in…

23 hours ago

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…

24 hours ago

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…

1 day ago