Google Project Zero Team Exposes Microsoft Edge Browser Exploit After Redmond Misses Deadline

Google's Project Zero team has publicly disclosed a security vulnerability in Microsoft's Edge browser for Windows 10 after Microsoft failed to issue a patch in the allotted time. The Project Zero team alerted Microsoft of a bug relating to the browser's Arbitrary Code Guard (ACG) back in November of last year. As is the team's policy, companies generally have 90 days to fix flaws that it discovers before a public disclosure.

Image Source: Flickr via okubax

In this instance, Microsoft requested and was granted a two-week grace period. Unfortunately Microsoft was still unable to fix the flaw before the extended deadline, so now the details of the bug are public knowledge. With that being the case, there is added pressure on Microsoft to plug the security hole as quick as possible, or it risks losing Edge users to competing browsers, such as Chrome or Firefox.

The flaw essentially could allow an attacker to inject and run malicious code on a victim's PC. An attacker could do this by bypassing Microsoft's ACG, which is supposed to safeguard against a content process from creating and modifying code pages in memory. However, Microsoft's implementation of ACG in Edge uses a separate process for the just-in-time (JIT) compiler for JavaScript, and that is where the point of entry exists for attackers.

Here is how Project Zero describes the vulnerability:
If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:
    1. Unmap the shared memory mapped above above using UnmapViewOfFile()
    2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
    3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.
Microsoft's reason for wanting an extension is because fixing the bug has proven "more complex than initially anticipated." While Microsoft missed the extended deadline, the company told the Project Zero team that it will have a fix in place on March 13, which aligns with its next Patch Tuesday update.