Google discloses Microsoft Edge security flaw before a patch is ready

[Becky]

Back in November 2017, Google reported a security flaw to Microsoft regarding their browser, Edge. Google gave Microsoft 90 days to patch the flaw before going public, followed by an additional 14 days grace period due to the fact that the problem was more difficult to patch than initially anticipated. The Verge has more:

Microsoft and Google have been bitter rivals for at least a decade, and the pair have had several disagreements over security vulnerability disclosure in recent years. Google is stoking those disagreements again this week by disclosing a Microsoft Edge security flaw before a patch is available. Neowin spotted that Google disclosed the security flaw to Microsoft back in November, and the company provided 90 days for Microsoft to fix it before going public as it’s rated “medium” in terms of severity.

Google also provided Microsoft with an additional 14-day grace period to have a fix available for its monthly Patch Tuesday release in February, but Microsoft missed this goal because “the fix is more complex than initially anticipated.” It’s not clear when Microsoft will have a fix available, and the Google engineer responsible for reporting the security flaw says because of the complexity of the fix Microsoft “do not yet have a fixed date set as of yet.”

Read more here.

 

[nivrip]

Well, I have Edge on my system but never use it. I prefer IE11 so does that mean I'm OK or does just having Edge mean that I am vulnerable?

Presumably there will be a patch available as soon as possible especially now that it's all out in the open.

 

[Becky]

Well it's not great that Microsoft haven't been able to fix it in 104 days, and they have no idea of when it'll be patched. I dislike that the article makes out that Google is the bad guy - they have no responsibility to report bugs in Microsoft's software, they could keep it to themselves and play the advantage. The fact that they spot them and privately tell Microsoft so they can fix it can only be a good thing. Going public once a reasonable period of time has passed seems only fair too - users have the right to know.

@nivrip you're right to steer clear of Edge. I haven't used IE in a long while, I prefer Chrome myself.