Friday, March 29, 2024

Google Disclosed a Microsoft Edge Zero-day Bug Before Patch is Released – 90-day Deadline Crossed

Google Revealed a Microsoft Edge Zero-day Bug in public since Microsoft misses the 90-day deadline as well as an additional 14-day grace period.

Google built a full-time dedicated Security team, known as Project Zero, that aims to prevent targeted attacks by reporting bugs to software vendors and filing them in an external database.

A disclosed bug was discovered back in November 2017 by Zero-day team that will lead to allowing code injection and execution in Microsoft Edge Browser.

Microsoft still processing the bug and conforming to Google that no time frame for this bug to release, The Project-Zero team went public with the full technical details of the Edge bug.

Microsoft Edge Zero-day Bug Revealed in Public

Ivan Fratric, a security engineer with Google’s Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory.

This could, in theory at least, give attackers a way into Windows boxes via malicious websites loaded via Edge by leveraging a flaw in the browser’s JIT (Just-in-Time) compiler.

After this disclose went on public Microsoft replied that, ‘The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however, this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays’.” 

Since Google always following Aggressive disclosure policies makes software vendors to strictly focus on their security bugs and keep them working and fix it as soon as possible.

Last week Microsoft Released security Patch Tuesday updates for all security fixes that affect Windows 10 and some non-security fixes also released.

There are 50 critical security fixes are reported in this  February patches for Explorer (IE), Microsoft Edge, ChakraCore, Microsoft Windows, and Microsoft Office.

But due to the complexity of the bug, Microsoft didn’t release a patch with February security updates.

In this case, The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th Tuesday security updates.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles