The information was published by Google’s Project Zero, which tracks down flaws in other companies’ products, giving them a 90-day window to publish fixes.
In this case, Microsoft told Google it wouldn’t be able to release a fix in time for its regularly scheduled February patch day, which fell on Tuesday of last week. Instead, it’s planning a patch for next month’s patch date, which falls on 13 March.
But even that date may slip, Microsoft has now acknowledged.
‘No date’ for a fix
“Because of the complexity of the fix, they do not yet have a fixed date set as of yet,” said Google researcher Ivan Fratric in a Monday update to the Project Zero advisory.
The controversial Project Zero programme has now automatically published detailed technical information on the flaw, leaving it exposed to exploitation by hackers.
The bug allows an attacker to bypass an Edge security feature called Arbitrary Code Guard (ACG), introduced in April of last year with the Windows 10 Creators Update.
Fratric said he notified Microsoft of the issue in mid-November. Microsoft informed him shortly before the end of the 90-day publication window last week that it wouldn’t be able to meet the deadline.
Google ranked the bug as “medium” severity.
Do you know all about security? Try our quiz!