As part of the Project Zero program, Google has discovered a vulnerability in Microsoft Edge and researcher has publicly disclosed the vulnerability as the software giant missed the deadline. Google Project Zero team offered Microsoft 90-day grace period to fix the bug but the software giant failed to resolve it.
Google security researcher Ivan Fratric says the security flaw exists in Microsoft Edge, which would allow the attacker to compromise a Windows 10 host by bypassing Arbitrary Code Guard. Arbitrary Code Guard (ACG) is a security feature implemented in Microsoft Edge with Windows 10 Creators Update as an attempt to improve the security of the browser, this technology is designed to block JavaScript exploits that attempt to load malicious native code into memory.
It’s worth noting that the process to outsmart Microsoft’s technology is not as easy as it appears since the users are exposed only when they visit a compromised page, in other words, attackers can do this with malicious websites only.
Google Project Zero team notified Microsoft about the vulnerability in November. Microsoft missed the deadline as the company needs more time to fix this issue, however, the software giant will roll out new cumulative updates for Windows 10 in March to fix this vulnerability, the patch is estimated to be ready by March 13.
“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays,” Microsoft explains.
While the Microsoft Edge is still vulnerable, you can remain protected by avoiding visits to unknown websites with the browser, and as well as the sites spread via email or messages.
