The flaw affects Microsoft’s Arbitrary Code Guard (ACG) which Microsoft described a year ago in a post about major security improvements released in the Creators Update of Windows 10. To mitigate arbitrary native code execution in Edge, the Creators Update would use “Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to help break the most universal primitive found in modern web browser exploits: loading malicious code into memory.”
When ACG was enabled, “the Windows kernel prevents a content process from creating and modifying code pages in memory by enforcing the following policy: Code pages are immutable. New, unsigned code pages cannot be created.”
However, Google researcher Ivan Fratric discovered how to bypass ACG and reported the flaw to Microsoft last November. The flaw’s severity was rated as “medium.”
Microsoft was given the standard 90-day disclosure deadline, but still failed to fix the issue.
According to comments posted on the disclosure, The Microsoft Security Response Center replied, “The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.” MSRC was confident, worded as “positive,” that the patch would be ready by March 13th.
Google Project Zero pointed out that the date exceeded “the 90-day SLA and 14-day grace period to align with Update Tuesdays.” Therefore, Google disclosed the flaw.
But the fix may not roll out on March 2018 Patch Tuesday. Fratric noted that Microsoft wanted to clarify “because of the complexity of the fix, they do not yet have a fixed date set as of yet.”
So now the details are in the public domain and cyber thugs can get to work on exploiting it. On the bright side, how many people actually use Edge? NetMarketShare reported that Edge had a browser market share of 4.67 percent in January. Yet for the people that do use Edge, short of changing browsers, they will have to wait on Microsoft to roll out the patch.
This is not the first and will doubtfully be the last time that Google Project Zero goes public with a Windows-related vulnerability when Microsoft fails to meet the 90-day deadline.
Back in 2016 after Google went public with a flaw that could allow an attacker to install a backdoor on Windows users’ computers, Microsoft’s Terry Myerson was so aggravated with Google that he wrote, “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”
Right or wrong, at this point, Microsoft should expect Google to go public if the disclosure deadline is not met.