These two tech giants are at it again. Google’s Project Zero has revealed another security flaw in a Microsoft product before a fix can be issued. This is nothing new, of course. Microsoft and Google have been in repeated disagreements about the public disclosures of security flaws.
Just last year, high-severity bugs in Microsoft’s browsers were publicly revealed by Google leading to a war of words between the two companies.
And we don’t see this verbal tussle ending anytime soon. Read on and I’ll tell you more about the latest Google vs. Microsoft standoff.
Latest Microsoft Edge flaw
Another security bug in Microsoft’s Edge browser was publicly revealed by Google even before Microsoft can fix it.
Google originally reported the security flaw to Microsoft back on November 17 but since Microsoft wasn’t able to patch it within the 90-day “responsible disclosure” timeframe, the flaw was publicly revealed.
Thankfully, the Edge flaw is just a medium severity bug. It doesn’t put you immediately at risk of remote code executions or hacker computer takeovers like other critical bugs.
Basically, the flaw allows an attacker to bypass Microsoft Edge’s Arbitrary Code Guard (ACG). This Edge browser feature is supposed to prevent hackers from executing malicious code further from an already compromised browser.
It appears that Microsoft was aiming to patch the flaw before February’s Patch Tuesday updates dropped. However, the flaw was “more complex” than expected so it’s now planning to include it in March’s updates instead.
Did Google do the right thing?
Google thinks that its 90-day “responsible disclosure” timeframe is more than enough time for software vendors to fix security flaws so it’s strictly adhering to it.
Why reveal security flaws anyway? Well, it’s actually for public safety. In theory, making people aware of a security bug will protect them from zero-day attacks.
A strict disclosure timeframe will also pressure software vendors into fixing the flaws quickly, shortening the time that hackers can exploit them.
Again, it’s likely that Microsoft is not too happy with Google’s disclosure. As with past security disclosures, Microsoft believes Google is simply not giving it enough time to fix the bugs.
Is Microsoft Edge safe to use?
This Microsoft Edge flaw is a medium severity flaw so it doesn’t put you at immediate risk. An attacker needs to take over your browser by other means first before this ACG exploit can be used. But it can be done, so it is just a matter of time before it happens unless Microsoft takes immediate action.
If you insist on still using Edge, be very careful about sites you’re visiting, the links that you are clicking and attachments you’re receiving.
We recommend you use other browsers such as Safari, Google Chrome or Mozilla’s Firefox Quantum for now.
Have a question about the Windows? Kim has your answer! Click here to send Kim a question, she may use it and answer it on her radio show. The Kim Komando Show is broadcast on over 450 stations. Click here to find the show time in your area.
In other news, critical Skype security flaw puts you at risk but Microsoft won’t fix it
There’s another Microsoft security flaw that you need to know about. This Skype flaw can compromise your PC but Microsoft said it’s not going to patch it anytime soon. Click here to read more about it.