Google reveals Edge bug that Microsoft has had trouble fixing

Oh great - because Google's explained how to make Edge run dodgy code

By Simon Sharwood


Google has again decided to disclose a flaw in Microsoft software before the latter company could deliver a fix. Indeed, Microsoft has struggled to fix this problem.

Detailed here on Google's Project Zero bug-tracker, the flaw impacts the just-in-time compiler that Microsoft's Edge browser uses to execute JavaScript and makes it possible to predict the memory space it is about to use. Once an attacker knows about that memory, they could pop their own code in there and have all sorts of naughty fun as Edge executes instructions of their choice rather than JavaScript in the web page the browser was rendering.

News of the flaw was posted to Project Zero on November 17th, 2017, with the usual warning that "This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public."

Google later gave Microsoft 14 more days to sort things out.

But last week, on February 15th, came a post that said Microsoft "replied that 'The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays'."

The next post stated simply "Deadline exceeded -- automatically derestricting". The latest post in the thread said Microsoft has advised Google that "because of the complexity of the fix, they do not yet have a fixed date set as of yet."

Which is just great news - NOT - seeing as Google's original post explains the flaw in great detail and is now visible to anyone who feels like some evil fun.

This is not the first time Project Zero has revealed flaws before Microsoft has been able to fix them, and Redmond doesn't like it one little bit.

In October 2017, for example, Microsoft criticised Google on grounds that disclosure can endanger users. That outcome looks to be possible in this case.

Also worth considering is Google's behaviour in the revelation of the Meltdown/Spectre CPU design flaws, as on that occasion it listed the problems in June 2017 but didn't disclose until January 2018. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

You: 'Alexa, open Cortana.' Alexa: 'Who?'

Updated A year on, Alexa can look at your emails and Cortana can order groceries. World shrugs

'Alexa, find me a good patent lawyer' – Amazon sued for allegedly lifting tech of home assistant

University claims the Bezos Bunch nicked its ideas for language processing

Huawei's Alexa-powered AI Cube wants to squat in your living room too

IFA Get the White House on the line – it's not even cubic

'Alexa, listen in on my every word and send it all to a shady developer'

Amazon fixes up app security hole affecting always-listening Echo assistants

'Alexa, play Charlie Bit My Finger.' I can't do that, Dave. No, really

Google and Amazon clash over YouTube on the Echo Show

You know that silly fear about Alexa recording everything and leaking it online? It just happened

Updated US pair's private chat sent to coworker by AI bug

Is it possible to control Amazon Alexa, Google Now using inaudible commands? Absolutely

Gizmo whisperers reveal their secrets

Hey Alexa, Siri and Cortana: Cisco says you’re bad at business

VID Borg thinks own Spark voice assistant knows how to behave in the office, but we've seen it and … meh

Amazon mumbles into its coffee when asked: Will you give app devs people's Alexa chats?

Cloud giant worryingly coy about its intentions

Alexa, please cause the cops to raid my home

Sour krauts after Amazon digital assistant throws wild midnight party – for itself