Microsoft Edge vulnerability exposed as Microsoft misses Google's Project Zero disclosure deadline

Google has revealed details of a security vulnerability in Microsoft Edge before a patch has been produced. Through Project Zero, Google notified Microsoft about a bug in the browser's Arbitrary Code Guard (ACG) feature back in November, giving the company the usual 90-day disclosure deadline. Google went further, granting Microsoft a further grace period of two weeks on request, but the vulnerability remains unfixed in Windows 10. As such, details of the "ACG bypass using UnmapViewOfFile" bug have now been made public. See also: Microsoft gives sysadmins Meltdown and Spectre detection in Windows Analytics Microsoft to bring Windows Defender Advanced… [Continue Reading]