Google reveals major Microsoft security flaw before a fix is issued

20 Feb 2018

Google offices, Mountain View, California. Image: MariaX/Shutterstock

Google discloses major vulnerability as Microsoft misses deadline for fix.

Founded in 2014, Project Zero is Google’s crack team of security analysts that works to find zero-day vulnerabilities in popular software. The bugs found by the team are reported to software manufacturers and only made public once a patch has been released, or 90 days have passed without the creation of a fix.

Microsoft is now in Project Zero’s crosshairs, as the cybersecurity researchers have publicised a bug in the former’s Edge browser after the 90-day fix deadline passed. The bug was originally shared with Microsoft on 17 November of last year, but the company was unable to find a solution in that timeframe.

Microsoft misses deadline

Google can give you a further 14-day grace period to extend the deadline to 104 days but, if the company in question admits that the fix may take longer than this, the 14 days are not granted.

The flaw in Microsoft Edge is rated ‘medium’ in terms of severity. Microsoft informed Google that “the fix is more complex than initially anticipated”, and the Google engineer who reported the bug said there is no fixed date as of yet for a patch due to the complex nature of the problem.

The vulnerability, while not severe, allows a workaround for Edge’s Arbitrary Code Guard (ACG), a built-in security measure. Researcher Ivan Fratric was able to load unsigned code into memory from a malicious website accessed via Edge. The details of the patch are technically dense but, essentially, the flaw could allow for bad actors to bypass security features of the browser.

Paul Ducklin of Sophos explained that the ACG bypass found in the browser doesn’t provide hackers remote code execution on its own, and that a remote code execution vulnerability in Edge must first be located.

Microsoft responded to Fratric’s disclosure: “It is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team is positive that this will be ready to ship on March 13th.” It remains to be seen if it will make this touted deadline.

Google bug policy is controversial

Microsoft has previously been critical of Google’s 90-day disclosure policy, but the search giant maintains that it can never be accused of preferential treatment by inflexibly disclosing how the bug works after this time period has elapsed. Some people feel it is unfair on companies who are trying to fix an issue that may be too complex to remedy within 90 days, but others say it helps Google remain objective.

This is not the first time that Microsoft has been affected by a Google bug disclosure. Last October, Microsoft discovered a vulnerability in Chrome and opined that Google’s methods of disclosure were, in its view, irresponsible. Microsoft also criticised Google for making the source code of vulnerabilities available on GitHub ahead of fixes being issued.

The incident will likely stoke discussions around the ethics of vulnerability disclosures in general, particularly from powerful firms with major commercial interests such as Google.

Google offices, Mountain View, California. Image: MariaX/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com