Google Revealed a Microsoft Edge Zero-day Bug in public since Microsoft misses the 90-day deadline as well as an additional 14-day grace period.
Google built a full-time dedicated Security team, known as Project Zero, that aims to prevent targeted attacks by reporting bugs to software vendors and filing them in an external database.
A disclosed bug was discovered back in November 2017 by Zero-day team that will lead to allowing code injection and execution in Microsoft Edge Browser.
Microsoft still processing the bug and conforming to Google that no time frame for this bug to release, The Project-Zero team went public with the full technical details of the Edge bug.
Ivan Fratric, a security engineer with Google’s Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory.
This could, in theory at least, give attackers a way into Windows boxes via malicious websites loaded via Edge by leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.
After this disclose went on public Microsoft replied that, ‘The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however, this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays’.”
Since Google always following Aggressive disclosure policies makes software vendors to strictly focus on their security bugs and keep them working and fix it as soon as possible.
Last week Microsoft Released security Patch Tuesday updates for all security fixes that affect Windows 10 and some non-security fixes also released.
There are 50 critical security fixes are reported in this February patches for Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows, and Microsoft Office.
But due to the complexity of the bug, Microsoft didn’t release a patch with February security updates.
In this case, The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th Tuesday security updates.
A groundbreaking technique for Kerberos relaying over HTTP, leveraging multicast poisoning, has been recently detailed…
Since mid-2024, cybersecurity researchers have been monitoring a sophisticated Android malware campaign dubbed "Tria Stealer,"…
Proton, the globally recognized provider of privacy-focused services such as Proton VPN and Proton Pass,…
The cybersecurity landscape faces increasing challenges as Arcus Media ransomware emerges as a highly sophisticated…
Proofpoint researchers have identified a marked increase in phishing campaigns and malicious domain registrations designed…
A recent investigation by Unit 42 of Palo Alto Networks has uncovered a sophisticated, state-sponsored…