Google reveals Edge bug that Microsoft has had trouble fixing

Oh great - because Google's explained how to make Edge run dodgy code

Google has again decided to disclose a flaw in Microsoft software before the latter company could deliver a fix. Indeed, Microsoft has struggled to fix this problem.

Detailed here on Google's Project Zero bug-tracker, the flaw impacts the just-in-time compiler that Microsoft's Edge browser uses to execute JavaScript and makes it possible to predict the memory space it is about to use. Once an attacker knows about that memory, they could pop their own code in there and have all sorts of naughty fun as Edge executes instructions of their choice rather than JavaScript in the web page the browser was rendering.

News of the flaw was posted to Project Zero on November 17th, 2017, with the usual warning that "This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public."

Google later gave Microsoft 14 more days to sort things out.

But last week, on February 15th, came a post that said Microsoft "replied that 'The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays'."

The next post stated simply "Deadline exceeded -- automatically derestricting". The latest post in the thread said Microsoft has advised Google that "because of the complexity of the fix, they do not yet have a fixed date set as of yet."

Which is just great news - NOT - seeing as Google's original post explains the flaw in great detail and is now visible to anyone who feels like some evil fun.

This is not the first time Project Zero has revealed flaws before Microsoft has been able to fix them, and Redmond doesn't like it one little bit.

In October 2017, for example, Microsoft criticised Google on grounds that disclosure can endanger users. That outcome looks to be possible in this case.

Also worth considering is Google's behaviour in the revelation of the Meltdown/Spectre CPU design flaws, as on that occasion it listed the problems in June 2017 but didn't disclose until January 2018. ®

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018