Here's the bug:<p><a href="https://bugs.chromium.org/p/project-zero/issues/detail?id=1435" rel="nofollow">https://bugs.chromium.org/p/project-zero/issues/detail?id=14...</a><p>It's a race condition that allows an ACG bypass. Under ACG, only privileged processes in the browser process ensemble can create new executable pages. But the mechanism by which privileged processes "give" executable pages to less-privileged processes enables the lesser processes to populate them with code of their choosing. It's medium severity because it's just a bypass of a (relatively new) security control. For it to be useful, you already need to have an RCE-able bug.<p>The headline is a bit misleading, and the article keeps you on the hook for a couple grafs before explaining.<p>You don't get "indefinitely, until the patch is released" from Google. You get 90 days. It's on you, the vendor that shipped the buggy software, to figure out how to ship a patch within 3 months. If you can't, you can ask for a grace period, which Google isn't obliged to give you (but did give here). I believe, but am not sure, that Google will give longer grace periods for very severe vulnerabilities, at their discretion.<p>This is how it has to be. Big vendors --- Google almost surely included! --- will backburner patches for months and months if they aren't given hard deadlines. Deadlines serve the users --- not just of the vulnerable software, but of all the other users that might depend on the people who use that software in some indirect way.<p>Either way, it doesn't look like anything was done to spite Microsoft. But a "business continued as usual" headline wouldn't attract as many clicks, I get that.