Google discloses security flaw in Edge that Microsoft was late to fix

by Olivia Morelli - -

Google gave Microsoft 90 days to fix security flaw; Microsoft failed

Google discloses security flaw in Microsoft Edge

Security researchers at Google’s Project Zero publicly reported about a huge security flaw in Microsoft Edge which allows loading a malicious code into memory. However, Microsoft was notified about the security bug and given 90 days to fix it until it is disclosed publicly. Apparently, Microsoft failed to meet the deadline.

Google researchers reported about a security flaw in Microsoft Edge browser Arbitrary Code Guard (ACG)[1] feature in November 2017. Microsoft asked for the extended deadline, and Google gave an extra 14 days to fix the bug and provide it in February’s Patch Tuesday.

However, this month’s patches from Microsoft did not have a fix for this vulnerability. The company says that “the fix is more complex than initially anticipated.” The fix is expected to be released on upcoming Patch Tuesday on the 13th of March.[2] However, it’s not confirmed.

Microsoft Edge vulnerability is reported on Chromium blog

Microsoft Edge users should no longer feel safe and sound. Google released the information about the bug and how it operates. Therefore, anyone who is looking for a flaw to exploit in order to launch cyber attack can now take advantage of it.

Google researcher Ivan Fratric found a vulnerability in Microsoft's Arbitrary Code Guard (ACG) which was rated as “medium.” The flaw affects Just In Time (JIT) compiler for JavaScript and allows attackers to load a malicious code. The problem is described in Chromium blog:[3]

If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:

1. Unmap the shared memory mapped above above using UnmapViewOfFile()
2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ. 

It’s not the first time when Google publicly discloses flaws in Microsoft products

In 2016, Google researchers discovered a flaw in Windows 10. The situation was similar. Microsoft was informed about the vulnerability that allowed attackers to install a backdoor on Windows computer.

However, Google did not remain silent for a long. They took only 10 days to disclose about “critical” vulnerability. Back then Google had deployed a fix for Google Chrome users. However, Windows OS itself remain vulnerable.

After the news about critical vulnerability emerged two years ago, Microsoft spokesperson told that “disclosure by Google puts customers at potential risk.”[4]

Last year Google reported about “crazy bad”[5] vulnerability in Windows 10 that allowed remote code execution. However, Microsoft managed to fix the problem with the latest Patch Tuesday updates. Though, it seems that it’s possible to solve security problems in time.

About the author

Olivia Morelli
Olivia Morelli - PC & Mac repair expert

Olivia Morelli is a young, but a perspicacious IT expert who is currently just a year away from a Bachelor’s Degree in Software Systems. Her primary passion is cyber security, however, thanks to her detailed understanding of computer networks, operating systems and hardware, she can find a fix for any PC or Mac issue...

Contact Olivia Morelli
About the company Esolutions

References