Google reveals Edge bug that Microsoft has had trouble fixing

Oh great - because Google's explained how to make Edge run dodgy code

By Simon Sharwood


Google has again decided to disclose a flaw in Microsoft software before the latter company could deliver a fix. Indeed, Microsoft has struggled to fix this problem.

Detailed here on Google's Project Zero bug-tracker, the flaw impacts the just-in-time compiler that Microsoft's Edge browser uses to execute JavaScript and makes it possible to predict the memory space it is about to use. Once an attacker knows about that memory, they could pop their own code in there and have all sorts of naughty fun as Edge executes instructions of their choice rather than JavaScript in the web page the browser was rendering.

News of the flaw was posted to Project Zero on November 17th, 2017, with the usual warning that "This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public."

Google later gave Microsoft 14 more days to sort things out.

But last week, on February 15th, came a post that said Microsoft "replied that 'The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays'."

The next post stated simply "Deadline exceeded -- automatically derestricting". The latest post in the thread said Microsoft has advised Google that "because of the complexity of the fix, they do not yet have a fixed date set as of yet."

Which is just great news - NOT - seeing as Google's original post explains the flaw in great detail and is now visible to anyone who feels like some evil fun.

This is not the first time Project Zero has revealed flaws before Microsoft has been able to fix them, and Redmond doesn't like it one little bit.

In October 2017, for example, Microsoft criticised Google on grounds that disclosure can endanger users. That outcome looks to be possible in this case.

Also worth considering is Google's behaviour in the revelation of the Meltdown/Spectre CPU design flaws, as on that occasion it listed the problems in June 2017 but didn't disclose until January 2018. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Thanksgiving brings together Apple's Siri and Google Assistant

A divided tech nation embraces, uncomfortably

Amazon Alexa outage: Voice-activated devices are down in UK and beyond

That sound ... yes, that lack of sound ... it's here

You: 'Alexa, open Cortana.' Alexa: 'Who?'

Updated A year on, Alexa can look at your emails and Cortana can order groceries. World shrugs

'Alexa, find me a good patent lawyer' – Amazon sued for allegedly lifting tech of home assistant

University claims the Bezos Bunch nicked its ideas for language processing

Huawei's Alexa-powered AI Cube wants to squat in your living room too

IFA Get the White House on the line – it's not even cubic

Buried in the hype, one little detail: Amazon's Alexa-on-a-chip could steal smart home market

Analysis But then again, it doesn't actually exist, so...

Microsoft dropkicks Cortana with Skype functionality on Alexa

Plus: Cloud file-sharing on desktop and mobile clients

Alexa, cough up those always-on Echo audio recordings, says double-murder trial judge

Amazon gizmo may be key witness in slaying

'Alexa, listen in on my every word and send it all to a shady developer'

Amazon fixes up app security hole affecting always-listening Echo assistants

'Alexa, play Charlie Bit My Finger.' I can't do that, Dave. No, really

Google and Amazon clash over YouTube on the Echo Show