Google’s Project Zero, a team of security researchers tasked with finding vulnerabilities in Google’s own software and that of third-parties, has exposed a new security flaw in Microsoft Edge (via Neowin), the default web browser in Windows 10.
The flaw affects Microsoft’s Arbitrary Code Guarantee (ACG) that aims to mitigate arbitrary native code execution. ACG forced Microsoft to move its JIT (Just-in-Time) functionality into a separate process, effectively running it in an isolated sandbox. Google explained how the flaw works, by predicting the address that the JIT process calls itsVirtualAllocEx() function:
Unmap the shared memory mapped above above using UnmapViewOfFile()
Allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there.
When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.
The flaw is marked as a “Medium” in severity, and Microsoft was made aware of it back in November 2017 and was given the usual 90-day window to resolve the flaw. Microsoft later told Google that the complexity of the flaw meant it would need more time, so a 14-day extension was granted. Microsoft missed the new deadline and Google’s Project Zero released details of the flaw publicly.
Now, the flaw remains unresolved and Microsoft has targeted March 13th for a patch.Further reading: Google, Microsoft, Microsoft Edge, Project Zero