Google has gone public with details about a Microsoft Edge vulnerability that attackers could abuse and bypass one of the browser's security features —Arbitrary Code Guard (ACG).
ACG is a relatively new feature added to Edge's security model. Microsoft added support for ACG in Edge in April 2017, with the release of the Windows 10 Creators Update.
Ivan Fratric, a security engineer with Google's Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory, allowing attackers a way into Windows boxes via malicious websites loaded via Edge.
Fratric reported the issue to Microsoft last November, in a private bug report, but the deadline for fixing the bug passed.
"The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues," Microsoft told Fratric.
"The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th," Microsoft added.
Fratric is also the author of Domato, a fuzzing tool for discovering security flaws in browser engines.