Google has found a vulnerability in Windows 10’s Edge browser, and the bad news is that this security bug has been disclosed to all and sundry before Microsoft could patch it.
The vulnerability can be used to sidestep Microsoft’s Arbitrary Code Guard (ACG) protection, leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.
It’s classified as a ‘medium’ severity flaw, so while not up there with the critical bugs, it’s definitely a hole which needs to be patched – and as noted, that sadly hasn’t happened.
Google gave Microsoft the standard 90 days to fix the problem, and then an additional two weeks’ worth of time when the issue was found to be a more troublesome gremlin to remedy than first thought.
Unfortunately, even that fortnight extension wasn’t enough, so the vulnerability is now public knowledge and unpatched.
As Neowin reports, Microsoft is apparently confident that it will have the fix in line for the next big patch day on March 13. Of course, that’s still just over three weeks away.
And this delay really doesn’t look good for Microsoft, considering that the firm has had something of an uphill battle on the security front with Edge. By that, we mean the software giant has often talked-up the browser in terms of security, when the reality of this has sometimes fallen short, as we saw when Edge was found to be the least secure browser at Pwn2Own last year.
This certainly looks like a security slip, and won’t help Microsoft’s overall image in that respect. All that said, it’s clear that socks are being pulled up on the Edge team – for example, where phishing is concerned, Edge was rated the top browser in defending against that particular online evil in one report last October.
So things seem a little up-and-down for Edge security these days, but if Microsoft wants to convince more folks to start using Windows 10’s browser, it needs to be taking a lot more steps forwards than backwards – on the security front, and elsewhere for that matter.