White hackers at the Google Project Zero have disclosed details of an unpatched vulnerability in the Edge browser because Microsoft failed to address it within a 90-day deadline according to the Google’s disclosure policy.
The flaw could be exploited by attackers to bypass the Arbitrary Code Guard (ACG) that was implemented in Windows 10 Creators Update alongside Code Integrity Guard (CIG).
The security features allow preventing Edge browser exploits from loading and executing malicious code.
“An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory. CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.” states the description published by Microsoft.
Google Project Zero researcher Ivan Fratric who discovered the vulnerability demonstrated that the ACG feature can be bypassed. The expert reported the issue to Microsoft on November 17, but the tech giant had initially planned to include a fix in the February Patch Tuesday updates, but evidently, something went wrong because “the fix is more complex than initially anticipated.”
The vulnerability was classified as having “medium” severity, Project Zero has published details of the issue in a blog post.
“If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can: 1. Unmap the shared memory mapped above above using UnmapViewOfFile() 2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there. 3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.” reads the analysis shared by Google.
In February 2017, Fratric published technical details related to a high severity type confusion vulnerability, tracked as CVE-2017-0037, that could have been exploited by attackers to crash Internet Explorer and Edge browser, and under certain circumstance to execute arbitrary code.
(Security Affairs – Edge browser flaw, hacking)