Google found a security flaw in Microsoft’s Edge browser, announcing its finding after Microsoft failed to fix the weakness in the time allowed. The response from Microsoft as to why they were unable to include a security update for this flaw is that the issue was too complicated to have anything ready for February’s update.
About the flaw
The flaw’s beginning starts with using Arbitrary Code Guard (ACG) with the Creator’s update. This change in Microsoft Edge aimed to mitigate arbitrary native code execution. With other web browsers, the standard is Just-in-Time (JIT). ACG and JIT have issues working together. So to get things to work smoothly, Microsoft put JIT into an isolated sandbox to run as a separate process.
Doing this compromises the security by allowing the content process to predict what the JIT process is going to call its VirtualAllocEc() function next. According to reports, the content process can: Unmap the shared memory mapped above using UnmapViewOfFile(); Allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there and; When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed, and the memory protection is going to be set to PAGE_EXECUTE_READ.
What is being done
With the flaw, it attackers are unable to exploit it on its own. There needs to be a separate vulnerability attacked first before this flaw the attacker gain advantage using the flaw. No word on what this vulnerability is or when a patch will be available has been released.
The flaw has the classification of medium security flaw, something that Google found in November 2017. Google is trying to get tech companies to fix up security flaws quickly but this is something that many companies, such as Microsoft, are unprepared to do.
For users, these security flaws can seem innocuous unless they affect their daily lives. However, tech companies has a responsibility to make sure their users are safe and their products updated with security patches regularly. Google and Microsoft have been in disagreement about this for a while as Google’s policies are not to Microsoft’s liking. Google has a team that finds flaws in systems and gives the company a 90 day period to make a fix for the issue. After 90 days, Google can release the information of the flaw to the public.
Microsoft plan on having a security patch for this issue in the March 2018 Windows 10 update.
Source: Neowin