Google gave Microsoft 90 days to fix security flaw; Microsoft failed
Security researchers at Google’s Project Zero publicly reported about a huge security flaw in Microsoft Edge which allows loading a malicious code into memory. However, Microsoft was notified about the security bug and given 90 days to fix it until it is disclosed publicly. Apparently, Microsoft failed to meet the deadline.
Google researchers reported about a security flaw in Microsoft Edge browser Arbitrary Code Guard (ACG)[1] feature in November 2017. Microsoft asked for the extended deadline, and Google gave an extra 14 days to fix the bug and provide it in February’s Patch Tuesday.
However, this month’s patches from Microsoft did not have a fix for this vulnerability. The company says that “the fix is more complex than initially anticipated.” The fix is expected to be released on upcoming Patch Tuesday on the 13th of March.[2] However, it’s not confirmed.
Microsoft Edge vulnerability is reported on Chromium blog
Microsoft Edge users should no longer feel safe and sound. Google released the information about the bug and how it operates. Therefore, anyone who is looking for a flaw to exploit in order to launch cyber attack can now take advantage of it.
Google researcher Ivan Fratric found a vulnerability in Microsoft's Arbitrary Code Guard (ACG) which was rated as “medium.” The flaw affects Just In Time (JIT) compiler for JavaScript and allows attackers to load a malicious code. The problem is described in Chromium blog:[3]
If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:
1. Unmap the shared memory mapped above above using UnmapViewOfFile()
2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.
It’s not the first time when Google publicly discloses flaws in Microsoft products
In 2016, Google researchers discovered a flaw in Windows 10. The situation was similar. Microsoft was informed about the vulnerability that allowed attackers to install a backdoor on Windows computer.
However, Google did not remain silent for a long. They took only 10 days to disclose about “critical” vulnerability. Back then Google had deployed a fix for Google Chrome users. However, Windows OS itself remain vulnerable.
After the news about critical vulnerability emerged two years ago, Microsoft spokesperson told that “disclosure by Google puts customers at potential risk.”[4]
Last year Google reported about “crazy bad”[5] vulnerability in Windows 10 that allowed remote code execution. However, Microsoft managed to fix the problem with the latest Patch Tuesday updates. Though, it seems that it’s possible to solve security problems in time.
- ^ Matt Miller. Mitigating arbitrary native code execution in Microsoft Edge. Windows Blog. The official Microsoft blog.
- ^ Rene Millman. Google divulges vulnerability in Microsoft Edge before patch is ready. SC Magazine UK. Security and IT news.
- ^ Microsoft Edge: ACG bypass using UnmapViewOfFile. Chromium blog. The official blog.
- ^ Russell Brandom. Google just disclosed a major Windows bug — and Microsoft isn’t happy. The Verge. Technology news and reviews.
- ^ Aditya Tiwari. Microsoft Fixes Critical “Crazy Bad” Bug in Windows 10 Reported By Google Researchers. Fossbytes. Technology news with a focus on Linux distro releases, security & hacking news, tutorials, tips and tricks, VPNs & more.