Skip to main content

Google found another critical security flaw in Microsoft Edge

Google’s Project Zero disclosed a software vulnerability in Microsoft’s Edge browser over the weekend. The flaw was first reported privately but after Microsoft failed to patch the issue in time, Google’s Project Zero team revealed the technical details of the vulnerability along with Microsoft’s response.

Let’s be clear though, this security vulnerability isn’t the kind of thing you need to run out and uninstall Edge over. Chances are you’re using a different browser anyway, but until it’s fixed maybe stick to Chrome or Firefox. The vulnerability itself establishes a workaround for one of Edge’s built-in security countermeasures, Arbitrary Code Guard (ACG). Sidestepping ACG, Google security researcher Ivan Fratric found a way to load unsigned code into memory from malicious website accessed via Microsoft Edge.

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team is positive that this will be ready to ship on March 13th,” Microsoft replied to Fratric’s disclosure.

However, Microsoft added, the complexity of the fix has made it difficult to nail down a fixed date for release. Microsoft is reportedly aiming for a mid-March release for the patch, but it’s unclear if the company will make that self-imposed deadline.

We’re only hearing about this now because of Google Project Zero’s security vulnerability policy. When Project Zero discovers a vulnerability, the team reaches out privately to the manufacturer of the product — in this case, Microsoft — giving the manufacturer 90 days to get a fix together before they disclose the vulnerability to the public. This particular disclosure is unlikely to make anyone in Microsoft’s Redmond, Washington, headquarters particularly happy.

As Engadget points out, it’s not the first time Google’s exploit-finding-team has rubbed Microsoft the wrong way. Google and Microsoft have all but come to blows over these disclosures in the past, with each company taking pains to poke holes in the other’s products in order to promote their own. That doesn’t appear to be the case here but it is unlikely anyone at Microsoft is going to look favorably upon this security vulnerability being thrust into the spotlight.

Editors' Recommendations

Jayce Wagner
Former Digital Trends Contributor
A staff writer for the Computing section, Jayce covers a little bit of everything -- hardware, gaming, and occasionally VR.
Microsoft accidentally released 38TB of private data in a major leak
A large monitor displaying a security hacking breach warning.

It’s just been revealed that Microsoft researchers accidentally leaked 38TB of confidential information onto the company’s GitHub page, where potentially anyone could see it. Among the data trove was a backup of two former employees’ workstations, which contained keys, passwords, secrets, and more than 30,000 private Teams messages.

According to cloud security firm Wiz, the leak was published on Microsoft’s artificial intelligence (AI) GitHub repository and was accidentally included in a tranche of open-source training data. That means visitors were encouraged to download it, meaning it could have fallen into the wrong hands again and again.

Read more
Microsoft Copilot vs. Google Duet: battle of the next-gen AI smart assistants
Microsoft's AI Copilot being used in various Microsoft Office apps.

Microsoft Copilot and Google Duet are the two most prominent artificial intelligence assistants put out by the various tech giants since OpenAI debuted its ChatGPT chatbot in 2022. They're set to bring that powerful natural language assistance into the enterprise in ways that can enhance productivity, improve the digital fluency of workers, and leverage existing data in new and exciting ways.

But which one is best? Both offer comparable features at a comparable cost, but they aren't interchangeable and even getting access to either tool requires a bit of luck. Here's how these two awesome AI tools compare.

Read more
I found a Chrome extension that makes web browsing bearable again
Google Drive in Chrome on a MacBook.

GDPR cookie consent notices were meant to hand privacy control back to ordinary internet denizens. Instead, they’ve unleashed a tidal wave of deception, with unscrupulous website owners using any means necessary to trick you into letting them harvest your private data for resale and profit.

It wasn’t meant to be like this. But while things might have not gone so well for GDPR, there’s still a way to protect your privacy and banish those annoying pop-ups in one fell swoop. Instead of rage-clicking Accept just to get the damned pop-ups to go away, I’ve found a much better way: the Consent-O-Matic browser extension.

Read more