Google discloses security flaw in Edge browser that Microsoft hasn’t yet fixed


Users of Microsoft Edge are being warned about a new security flaw which could let hackers take over their computer and which there is currently no fix.

Details of the flaw have been made public by Google’s Project Zero team, despite Microsoft not yet readying a patch to help safeguard users.

Google says it notified Microsoft about the flaw in November 2017 and gave the company the usual 90 days to fix the problem.

Microsoft then said that the flaw was complexed and needed additional time to release a patch.

Google gave them an additional 14 days but now even that deadline has passed and as a result Project Zero has gone public with full details of the security flaw, meaning that hackers could use the information to try and exploit it.

Despite Edge’s relatively small user base, the episode is still embarrassing for Microsoft.

This isn’t the first time the two companies have clashed over the public disclosure of security flaws.

In October last year, Microsoft criticised Google for the way it handles security updates after discovering a major security flaw in Chrome.

Ironically, Microsoft used the episode to tout the security benefits of Edge or its rival Chrome, which it says is more secure than Google’s browser.

“Our discovery of ‘CVE-2017-5121’ indicates that it is possible to find remotely exploitable vulnerabilities in modern browsers. Chrome’s relative lack of remote code execution (RCE) mitigations means the path from memory corruption bug to exploit can be a short one,” wrote Jordan Rabet, from Microsoft’s Offensive Security Research team, in a blog.

“Chrome’s process for servicing vulnerabilities can result in public disclosure of details for security flaws before fixes are pushed to customers,” added Rabet.

“While the fix for this issue doesn’t out the vulnerability, according to Microsoft, that hasn’t always been the case. Microsoft believes that a fix should be applied before they are public knowledge,” Microsoft said.

That particular episode came after Google exposed a flaw in Windows before Microsoft had a chance to fix it.

Expect this little dual to run and run.

And if you use Edge, either switch to an alternative browser of sit tight until Microsoft releases a fix.

Via: Neowin


Comments are closed.