Google Project Zero targets Microsoft Edge Arbitrary Code Guard feature

Reading time icon 2 min. read

Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

Google’s Project Zero has targetted Microsoft yet again and this time Edge is at fault. According to a 31-page paper published by Ivan Fratric, Edge’s Arbitrary Code Guard isn’t powerful enough to stop advanced attacks.

This is not the first time Google has attacked Microsoft upfront for a potential vulnerability. In February, Google Researchers first exposed a mitigation bypass technique that allowed an advanced attacker to bypass Microsoft’s ACG. Microsoft rolled out ACG with Windows 10 Creators Update last year which disrupts the typical browser-based exploit chain that attackers use to target the browser’s memory.

ACG does succeed to fulfill its purpose of preventing executable memory from being allocated and modified. However, due to mutual dependence of (Control Flow Guard), ACG and CIG and the shortcomings of CFG in Microsoft Windows, ACG alone can’t be sufficient to stop advanced attackers from escaping a browser’s sandbox and mounting other attacks.

– Ivan Fratric

Google has already released the full report on how bypass works this week after Microsoft didn’t fix the issue within Google’s Project Zero 90-day disclosure deadline. Fratric also noted that despite fixes from Microsoft for ACG, the mitigation feature called Control Flow Guard (CFG) open to attack.

Currently, with a lot of known bypasses, bypassing CFG in Windows is not difficult. However, should Microsoft be able to fix all the known weaknesses of CFG, including adding the return flow protection, the situation might change in the next couple of years. As Microsoft already showed intention to do this, we believe this is their long-term plan.

– Ivan Fratric

He said the research published by him is focused just on Microsoft Edge and other browsers might behave similarly when “out-of-process JIT” is implemented.

Outside the problems with CFG, the most fragile aspect of the ACG is the JIT server implementation, where multiple issues were uncovered. While the implementation is young and first of its kind so some issues are expected, the larger issue is that security boundary between the Content Process and the JIT Process isn’t adequately enforced.

– Ivan Fratric

Microsoft hasn’t made any statement regarding this issue so we will have to wait for the company to give their views on the same.

Source: Google; Via: ThreatPost

More about the topics: microsoft, Microsoft Edge, windows