Google Project Zero targets Microsoft Edge Arbitrary Code Guard feature

Google’s Project Zero has targetted Microsoft yet again and this time Edge is at fault. According to a 31-page paper published by Ivan Fratric, Edge’s Arbitrary Code Guard isn’t powerful enough to stop advanced attacks.

This is not the first time Google has attacked Microsoft upfront for a potential vulnerability. In February, Google Researchers first exposed a mitigation bypass technique that allowed an advanced attacker to bypass Microsoft’s ACG. Microsoft rolled out ACG with Windows 10 Creators Update last year which disrupts the typical browser-based exploit chain that attackers use to target the browser’s memory.

ACG does succeed to fulfill its purpose of preventing executable memory from being allocated and modified. However, due to mutual dependence of (Control Flow Guard), ACG and CIG and the shortcomings of CFG in Microsoft Windows, ACG alone can’t be sufficient to stop advanced attackers from escaping a browser’s sandbox and mounting other attacks.

– Ivan Fratric

Google has already released the full report on how bypass works this week after Microsoft didn’t fix the issue within Google’s Project Zero 90-day disclosure deadline. Fratric also noted that despite fixes from Microsoft for ACG, the mitigation feature called Control Flow Guard (CFG) open to attack.

Currently, with a lot of known bypasses, bypassing CFG in Windows is not difficult. However, should Microsoft be able to fix all the known weaknesses of CFG, including adding the return flow protection, the situation might change in the next couple of years. As Microsoft already showed intention to do this, we believe this is their long-term plan.

– Ivan Fratric

He said the research published by him is focused just on Microsoft Edge and other browsers might behave similarly when “out-of-process JIT” is implemented.

Outside the problems with CFG, the most fragile aspect of the ACG is the JIT server implementation, where multiple issues were uncovered. While the implementation is young and first of its kind so some issues are expected, the larger issue is that security boundary between the Content Process and the JIT Process isn’t adequately enforced.

– Ivan Fratric

Microsoft hasn’t made any statement regarding this issue so we will have to wait for the company to give their views on the same.

Source: Google; Via: ThreatPost

Some links in the article may not be viewable as you are using an AdBlocker. Please add us to your whitelist to enable the website to function properly.