Google today disclosed a vulnerability in Microsoft Edge that has not been patched by Microsoft yet. The vulnerability makes it possible to circumvent a security measure from the Microsoft’s default browser in Windows 10. The security measure that can be circumvented is called Arbitrary Code Guard (ACG).
Google rates the impact of the vulnerability as “medium” and warned Microsoft about the issue on the 17th of November last year.
Microsoft answered that a fix for the issue would be very complex. The company also stated it would be unable to fix the issue before Google’s initial deadline would expire. Vulnerabilities found by Google have a 90-day deadline after which they are disclosed. This period can be extended with two weeks. Microsoft was unable to fix the issue in both the initial and extended period and therefore Google made the vulnerability public today.
Although Microsoft was unable to meet Google’s deadline, the company has stated it hopes to release a patch for the issue with March’s Patch Tuesday.