Google exposes another zero-day security flaw in Edge as Microsoft miss the fix deadline

Browser security is hard, and it seems sometimes it is easier to break something than to fix it.

Microsoft nemesis Google Project Zero has once again made a flaw in Microsoft’s Edge browser public before the company could push out a fix.

The issue is related to Microsoft’s Just In Time compiler for Javascript, which is by design not protected by Arbitrary Code Guard (ACG) in Microsoft Edge.  It turns out that if a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next, the content process can:

  • Unmap the shared memory mapped above using UnmapViewOfFile()
  • Allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there.
  • When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.

Google gives the exploit a Medium rating and notified Microsoft in November 2017. Microsoft has, however, had difficulty fixing the issue, missing both the 90-day disclosure deadline and an additional 14-day grace window the company asked for.

Microsoft, however, hopes to have a fix available by Patch Tuesday next month, but I suspect Edge users have little to worry about, given its current small market share, which means, unlike Google’s Project Zero, most hackers will be looking elsewhere.

Read all the detail on Google’s blog here.


Some links in the article may not be viewable as you are using an AdBlocker. Please add us to your whitelist to enable the website to function properly.