SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
20 Feb 2018

Google exposes security flaw in Microsoft Edge

Google's Project Zero initiative tasks its security researchers with finding flaws in various software products developed by the company itself as well as other firms.

Back in 2016, it revealed a serious vulnerability present in Windows 10, and reported a "crazy bad vulnerability" in Windows in 2017. Now, the firm has disclosed another security flaw in Microsoft Edge, after the Redmond giant failed to fix it in the allotted time.

Back in February 2017, Microsoft stated that it would be using Arbitrary Code Guard (ACG) in Microsoft Edge with the Windows 10 Creators Update to mitigate arbitrary native code execution. Although most modern web browsers rely on Just-in-Time (JIT) compilers, this created complications with ACG, which forced Microsoft to transition the JIT functionality of Chakra into a separate process that runs in an isolated sandbox, which according to the company, was a difficult task to accomplish.

For those unaware, Microsoft's JIT process is responsible for compiling JavaScript to native code, creating a shared map object, mapping it to the content process and reserving the memory. Then when pages need to be written to memory, it calls the VirtualAllocEx() function to allocate memory to it from the space it reserved in the content process, and commits it.

Now, the problem with this technique is that if the content process can predict the address on which the JIT process is going to call its VirtualAllocEx() function next - which can be done fairly easily, according to Google - and it is compromised, the content process can:

  1. Unmap the shared memory mapped above above using UnmapViewOfFile()
  2. Allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there.
  3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.

This is understandably a considerable security concern, and one which the Google security researcher has exploited, as detailed in his highly technical debug log which you can view here. In it, the researcher has successfully bypassed ACG and created an executable page in memory.

It is important to note that the bug has been classified as a "Medium" severity flaw and was disclosed to Microsoft by Google in November 2017. The standard 90-day-deadline was awarded to the company to fix the issue before it was disclosed to the public.

According to the Microsoft Security Response Center (MSRC), the problem turned out to be more complex than initially believed, due to which it was given an additional 14-day grace period by Google. Although the company missed this deadline in its February Patch Tuesday too - which forced Google to make the flaw public - Microsoft is confident that it will resolve the issue by March 13, aligning the shipment of the fix with the Patch Tuesday in March.

Tags:
Microsoft information leaks Google
Source:
Neowin
1968
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015