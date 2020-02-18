from the responsible-disclosure dept.
Google's Project Zero has disclosed a vulnerability in the Microsoft Edge web browser that bypasses the browser's Arbitrary Code Guard (ACG). Project Zero disclosed the bug 14 days after the end of the usual 90-day period, but it apparently wasn't enough time for Microsoft to patch it:
Google's Project Zero initiative tasks its security researchers with finding flaws in various software products developed by the company itself as well as other firms. Back in 2016, it revealed a serious vulnerability present in Windows 10, and reported a "crazy bad vulnerability" in Windows in 2017. Now, the firm has disclosed another security flaw in Microsoft Edge, after the Redmond giant failed to fix it in the allotted time.
[...] According to the Microsoft Security Response Center (MSRC), the problem turned out to be more complex than initially believed, due to which it was given an additional 14-day grace period by Google. Although the company missed this deadline in its February Patch Tuesday too - which forced Google to make the flaw public - Microsoft is confident that it will resolve the issue by March 13, aligning the shipment of the fix with the Patch Tuesday in March.
(Score: 0) by Anonymous Coward on Tuesday February 20, @03:59PM (9 children)
So, it is actually fixed, but not released yet. Why this semi-hard deadline of 90 days (with 2 weeks extension). Couldn't they just wait another few weeks for disclosing it, until the patch is actually released? Why the rush of disclosing it?
(Score: 5, Informative) by takyon on Tuesday February 20, @04:03PM (8 children)
https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html [blogspot.com]
(Score: 0, Disagree) by Anonymous Coward on Tuesday February 20, @04:15PM (7 children)
The embargo window is there to make sure that the vendor gets their act together and actually fixes things instead of being a black hole of bug-reports. In this case, Google acted irresponsibly because the intent of the embargo was satisfied: MSFT has been trying to get a fix working but hasn't succeeded in that yet. They could have worked with MSFT to make sure they aren't dragging their feet and actually continue on pushing a fix out but there was no reason for Google to disclose this (or not extend the embargo) aside from being dicks and doing it for a browser that is their direct competitor.
Google acted irresponsibly in this case and there is no excuse!
(Score: 5, Funny) by takyon on Tuesday February 20, @04:24PM (4 children)
So the embargo window is there for a reason... but Google actually ending the embargo (albeit with a 14 day extension) is bad.
What should they do instead? Extend the window repeatedly forever? Then it's no longer a window, it's windows.
(Score: 1, Funny) by realDonaldTrump on Tuesday February 20, @04:36PM (3 children)
So many people who have computer, they have it for windows. For solitaire, for so many things. They love the solitaire, so interesting! Great job, Bill! Great job, Satya!
(Score: 3, Funny) by realDonaldTrump on Tuesday February 20, @06:07PM (2 children)
It's a day ending in "Y" so dumb & unfair downmodders are "reading." They're not reading. Because the STORY and the other TWEET are about windows! But I tweet about windows, suddenly it's "OFFTOPIC." Not because of what I wrote. Because of who I am!!!!
(Score: 2) by DannyB on Tuesday February 20, @08:20PM
Microsoft should make new Surface laptops powered by Clean Coal. Beautiful Clean Coal.
(Score: 4, Interesting) by captain normal on Tuesday February 20, @08:27PM
The story and TFA are about a vulnerabilkity in MS's Edge brower that was discovered by Google's Project Zero. All the posts up to yours are about that toipic. Your post is not. So to me that seems your post could qualify as "Off topic".
If you were down moded, it probably has nothing to do with who you are (or pretend to be). Likely it was because you didn't contribute to the actual discussion.
(Score: 5, Insightful) by requerdanos on Tuesday February 20, @04:52PM (1 child)
Microsoft is a large enough, not-100%-trustworthy enough organization for a judgment call like that to be fraught with uncertainty. Even now, the patch isn't out, and one may be in the works and may not; all we have are words.
What has certainty is the disclosure program, which is pretty effective. That's a reason that might seem petty and spiteful, might even be petty and/or spiteful, but which was made in line with a policy that has a proven track record of improving security industry-wide.
(Score: 0) by Anonymous Coward on Tuesday February 20, @05:12PM
OP here...
You know what, you're not going to hear this often on the 'tubes, but the way you put it, I think you're right. I hereby recall my original post...
(Score: 2) by Wootery on Tuesday February 20, @04:31PM (3 children)
From TFA:
So it enables an attacker to escalate an exploit in an Edge 'content process' up into executing arbitrary instructions, if I understand correctly. But it doesn't give an attacker a new way in at the ground floor.
(Score: 4, Funny) by Wootery on Tuesday February 20, @04:33PM
...and too late I realise I never replaced my placeholder subject :-P
(Score: 2) by TheRaven on Tuesday February 20, @04:49PM (1 child)
I think that's right. It's not clear that this is actually exploitable, because to be able to meet the prerequisites you must already have compromised the content process enough that you can issue a system call (of your choice, with arguments of your choice), but not enough that you can execute arbitrary code. This is a pretty narrow window. It's basically useful only if you have a not-quite arbitrary code execution vulnerability that lets you run a small amount of arbitrary code and the CFI stuff in recent versions of Windows is good enough that you can't use this to start a code reuse attack that lets you run arbitrary code in some kind of weird machine made from gadgets in existing code. If you can already execute arbitrary code in the compromised process, then this doesn't give you anything else. If you can't execute arbitrary code, then it's unlikely that you can issue the system call.
The one place where this might be interesting is if there is a separate vulnerability that lets you control the base address for an existing VirtualAlloc[Ex] call. In this case, you'd be able to elevate from a data injection to arbitrary code execution. That seems pretty unlikely though.
sudo mod me up
(Score: 3, Interesting) by Wootery on Tuesday February 20, @05:11PM
I think that's it - the meat of the 'content' process space presumably runs with the NX bit set. TFA never mentions 'NX', but I presume that's what Microsoft's 'Arbitrary Code Guard' boils down to.
Ah, the war against ROP. Did Intel's 'Control-flow Enforcement Technology' ever go anywhere?
Assuming equal privileges between the content and JIT processes, at least.