seems to be gunning for again by going public with a in Microsoft Edge before Microsoft could develop a patch.

The flaw affects Microsoft’s Arbitrary Code Guard (ACG) which Microsoft described a year ago in a post about major improvements released in the Creators Update of Windows . To mitigate arbitrary native code execution in Edge, the Creators Update would use “Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to help break the most universal primitive found in modern web browser : loading malicious code into memory.”

Microsoft went on to explain how modern browsers transform JavaScript to native code, but “enabling Just-in-Time (JIT) compilers to work with ACG enabled is a non-trivial engineering task.” The Redmon giant “moved the JIT functionality of Chakra into a separate process that runs in its own isolated sandbox. The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages.”

When ACG was enabled, “the Windows kernel prevents a content process from creating and modifying code pages in memory by enforcing the following policy: Code pages are immutable. New, unsigned code pages cannot be created.”

However, Google researcher Ivan Fratric discovered how to bypass ACG and reported the flaw to Microsoft last November. The flaw’s severity was rated as “medium.”

Microsoft was given the standard 90-day disclosure deadline, but still failed to fix the issue.

On Friday, Google Project Zero publicly Microsoft Edge: ACG bypass using UnmapViewOfFile.”

According to comments posted on the disclosure, The Microsoft Security Response Center replied, “The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.” MSRC was confident, worded as “positive,” that the patch would be ready by March 13th.

Google Project Zero pointed out that the date exceeded “the 90-day SLA and 14-day grace period to align with Update Tuesdays.” Therefore, Google disclosed the flaw.

But the fix may not roll out on March 2018 Patch Tuesday. Fratric noted that Microsoft wanted to clarify “because of the complexity of the fix, they do not yet have a date set as of yet.”

So now the details are in the public domain and cyber thugs can get to work on exploiting it. On the bright side, how many people actually use Edge? NetMarketShare reported that Edge had a browser market share of 4.67 percent in January. Yet for the people that do use Edge, short of changing browsers, they will have to wait on Microsoft to roll out the patch.

This is not the first and will doubtfully be the last time that Google Project Zero goes public with a Windows-related vulnerability when Microsoft fails to meet the 90-day deadline.

Back in 2016 after Google went public with a flaw that could allow an attacker to install a backdoor on Windows users’ computers, Microsoft’s Terry Myerson was so aggravated with Google that he wrote, “We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.”

Right or wrong, at this point, Microsoft should expect Google to go public if the disclosure deadline is not met.



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here