Google Project Zero has disclosed a bug in the latest Windows web browser after Microsoft failed to meet the security team’s deadline.
Project Zero gives companies 90 days to fix bugs before publishing them, and a further 14 days if a company requires it. But Google quoted Microsoft as saying last week that, after the 90 day deadline came to pass, the Edge patch would not be ready by the extended deadline either.
“The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues,” Microsoft reportedly said. “The team IS positive that this will be ready to ship on March 13th [2018-03-13], however this is beyond the 90-day SLA [service level agreement] and 14-day grace period to align with Update Tuesdays.”
If a company admits that it won’t make the 14 day extension, Google will instead go ahead and disclose the patch anyway, as it did last week.
Paul Ducklin, a security researcher at Sophos, explained in a blog that the bug in question is not a remote code execution exploit “all on its own”: “It’s a security bypass that could allow an attacker who has already wrested control from your browser to vault over Microsoft’s second layer of defence, known as ACG, short for Arbitrary Code Guard.”