As per its Project Zero disclosure policies, Google notified Microsoft of its discovery after finding the issue back in November. It gave the company its standard 90 days to fix the problem and release a patch before issuing a public disclosure. Google granted Microsoft an additional two week extension to enable the update to be included in the company’s monthly “Patch Tuesday” releases.
Despite the added time, Microsoft still hasn’t managed to remedy the issue inside of the allotted window. After confirming to Google that there’s currently no firm timeframe for its release, Project Zero went public with its disclosure even though no patch is available. This could allow attackers to develop exploits using the flaw that can be deployed in the wild.
The issue lies in a Microsoft Edge feature called Arbitrary Code Guard (ACG). Per the title, ACG is supposed to prevent malicious actors from running arbitrary code in the web browser. ACG is designed to stop suspect code from being loaded into memory, isolating it before it has a chance to have an impact.
READ NEXT: Security flaws in Microsoft software have doubled since 2013
The problem discovered by Project Zero lies in the implementation of ACG, which depends on a separate process for the just-in-time (JIT) compilation of code. As explained by Microsoft last year, JIT runs “in its own isolated sandbox” and bridges the gap between the webpage and its protected code. Google found that the allocation of JIT memory is predictable, which could be exploited by a compromised content process to inject arbitrary code into ACG.
The technical complexity of the problem has thwarted Microsoft’s attempts to develop a fix inside of the 90 day disclosure window. In a comment on the Project Zero bug report, Microsoft said the “fix is more complex than initially anticipated” and will take additional time to develop. The company’s now readying the patch for release in March’s Patch Tuesday updates, which will leave customers at risk for another month.
This isn’t the first time Project Zero has disclosed Microsoft software issues before they’ve been patched. The 90 day disclosure policy is presented by Google as a way to pressure software makers to quickly resolve issues after they’ve been found.
The practice is highly controversial and Microsoft has publicly expressed its frustration after similar disclosures in the past. Critics note that any failure to meet the deadlines results in exploit descriptions being made public while users are still at risk, which could let attackers use the discoveries maliciously.
