Microsoft Leaves Edge Flaw Unpatched Until Next Month

Google has revealed details about a pretty serious flaw in Microsoft's Edge web browser, but Microsoft won't be able to fix the problem until the middle of March.

The flaw lets attackers bypass an Edge security feature called Arbitrary Code Guard (ACG) that stops malicious JavaScript from executing on a web page. Bug finders from Google's Project Zero team found the flaw Nov. 17 and gave Microsoft the standard 90 days to fix it before Google disclosed the flaw.

But on the deadline day, Feb. 15, Microsoft told Project Zero that it wouldn't be able to make the deadline, even with a two-week extension that Project Zero had apparently offered. So Google spilled the beans about the flaw, the fix for which will come March 13 with Microsoft's next Patch Tuesday round of scheduled updates.

Edge users might want to refrain from using Microsoft's flagship browser until then.

MORE: Edge vs. Chrome vs. Firefox: Battle of the Windows 10 Browsers

The silver lining here is that this flaw "cannot be exploited on its own," as Google Project Zero researcher Ivan Fratric wrote in a comment to his original blog posting.

To attack someone else's Edge browser, Step One would be to infect or otherwise compromise another process in their browser. Only after that would you be able to proceed to Step Two: You'd use this new flaw to swap in malicious code at exactly the right point in Edge's running memory so that the code replaces benign code that Edge's ACG process was about to run.

"An attacker would first need to exploit a separate vulnerability to gain some capabilities in the Edge content process (such as the ability to read and write arbitrary memory locations)," Fratric wrote, "after which they could use this vulnerability to gain additional capabilities (namely, the ability to run arbitrary machine code)."

The bad news is that Step One is probably within the reach of skilled hackers and properly crafted malware. Fratric's original blog posting, now available for all to see, shows you exactly how to proceed to Step Two. You can bet the bad guys are working to implement Fratric's proof-of-concept exploit before the fix is ready March 13.

Fratric is scheduled to explain even more about how this all works on April 27 at the Infiltrate security conference in Miami Beach.

Image credit: T.Dallas/Shutterstock