From time to time security flaws are uncovered in software. It’s not as if this was done on purpose, it’s just that sometimes it’s hard to try and catch all the flaws. More recently it seems that Google’s Project Zero has discovered a new security flaw in Microsoft’s Edge browser, as posted on the Chromium website (via Neowin).
The report is rather technical, but basically the flaw allows attackers to potentially side-step and workaround one of Edge’s built-in security countermeasures. This will allow the attack to load unsigned code into memory from a malicious website that was accessed via the Edge browser. This was flaw was discovered by Google security researcher Ivan Fratric who reached out to Microsoft to inform them of it.
However it seems that the fix is a bit complicated, which is why the report was published publicly following Project Zero’s policy where they will share their findings with the public after 90 days. This is meant to give developers and companies time to release a fix, which means that even after the report is published, the vulnerability would no longer be valid.
According to Microsoft who responded to Fratric’s disclosure, “The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team is positive that this will be ready to ship on March 13th.” In the meantime for those who use Edge, perhaps you might want to consider switching up browsers until the fix has been released.