Google Project Zero Team Exposes Microsoft Edge Browser Exploit After Redmond Misses Deadline
Image Source: Flickr via okubax
In this instance, Microsoft requested and was granted a two-week grace period. Unfortunately Microsoft was still unable to fix the flaw before the extended deadline, so now the details of the bug are public knowledge. With that being the case, there is added pressure on Microsoft to plug the security hole as quick as possible, or it risks losing Edge users to competing browsers, such as Chrome or Firefox.
The flaw essentially could allow an attacker to inject and run malicious code on a victim's PC. An attacker could do this by bypassing Microsoft's ACG, which is supposed to safeguard against a content process from creating and modifying code pages in memory. However, Microsoft's implementation of ACG in Edge uses a separate process for the just-in-time (JIT) compiler for JavaScript, and that is where the point of entry exists for attackers.
Here is how Project Zero describes the vulnerability:
If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:
- Unmap the shared memory mapped above above using UnmapViewOfFile()
- Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
- When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.