Stories
Slash Boxes
Comments

SoylentNews is people

Google's Project Zero Discloses Microsoft Edge Vulnerability

posted by Fnord666 on Tuesday February 20 2018, @03:44PM   Printer-friendly
from the responsible-disclosure dept.

takyon writes:

Google's Project Zero has disclosed a vulnerability in the Microsoft Edge web browser that bypasses the browser's Arbitrary Code Guard (ACG). Project Zero disclosed the bug 14 days after the end of the usual 90-day period, but it apparently wasn't enough time for Microsoft to patch it:

Google's Project Zero initiative tasks its security researchers with finding flaws in various software products developed by the company itself as well as other firms. Back in 2016, it revealed a serious vulnerability present in Windows 10, and reported a "crazy bad vulnerability" in Windows in 2017. Now, the firm has disclosed another security flaw in Microsoft Edge, after the Redmond giant failed to fix it in the allotted time.

[...] According to the Microsoft Security Response Center (MSRC), the problem turned out to be more complex than initially believed, due to which it was given an additional 14-day grace period by Google. Although the company missed this deadline in its February Patch Tuesday too - which forced Google to make the flaw public - Microsoft is confident that it will resolve the issue by March 13, aligning the shipment of the fix with the Patch Tuesday in March.

Also at The Verge and BetaNews.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Google's Project Zero Discloses Microsoft Edge Vulnerability | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by TheRaven on Wednesday February 21 2018, @02:58PM

    by TheRaven (270) on Wednesday February 21 2018, @02:58PM (#641170) Journal

    I think that's it - the meat of the 'content' process space presumably runs with the NX bit set. TFA never mentions 'NX', but I presume that's what Microsoft's 'Arbitrary Code Guard' boils down to.

    It runs in W^X mode, and with most code non-executable. The important bit is that this process never generates new executable code, it maps a shared memory region as read-execute and another process maps it read-write. The other process runs the JIT and generates code, but the code generation and the execution of that code run in different processes so it's difficult to use the JIT to attack itself.

    Ah, the war against ROP. Did Intel's 'Control-flow Enforcement Technology' ever go anywhere?

    Yup, it's coming soon. We've done some reviews of it and it's pretty sensible. I wasn't actually talking about CET though, Microsoft Research has a pure software CFI scheme that is on by default on Windows 10 for all system applications and libraries and can be optionally enabled via Windows Update on Windows 7 and later.

    Assuming equal privileges between the content and JIT processes, at least.

    As I understand it, this doesn't help you attack the JIT process, it lets you map some memory write-execute in the content process, but only if you can issue a VirtualAlloc or VirtualAllocEx system call in the content process.

    --
    sudo mod me up
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3