Fix now expected on next Patch Tuesday cycle

Feb 18, 2018 06:35 GMT  ·  By

Google has publicly disclosed another security vulnerability in a Microsoft product after the software giant failed to resolve it in the 90-day grace period offered as part of the Project Zero program.

This time the security flaw exists in Microsoft Edge, and Google security researcher Ivan Fratric says it’s possible to bypass Arbitrary Code Guard to compromise a Windows 10 host.

Arbitrary Code Guard (ACG) was implemented by Microsoft in Windows 10 version 1703 (Creators Update) and blocks JavaScript exploits that attempt to load malicious native code into memory. Fratric, however, says attackers can do this with malicious websites, so technically users are exposed once their browsers are pointed to these compromised pages.

Patch coming March 13

In a technical analysis of the bug, Fratric explains that Microsoft was notified in November, but the company said that it needs more time to issue a fix. The software firm estimated that the patch would be ready by the time the next month security updates ship, and this is scheduled to happen on March 13.

“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays,” Microsoft said.

At this point, the only way to remain protected is to avoid visiting unknown websites with Microsoft Edge. Typically, these sites spread via email or instant messages and come from untrusted sources, so as long as you stay away from such links, you should be fine.

Microsoft Edge has a rather small share right now, so only a few users are likely to be exposed, though it goes without saying that Microsoft should hurry up with a fix and ship it as soon as possible.