Google discloses Microsoft Edge security flaw before it could be fixed

Microsoft failed to develop a fix within the 90-day disclosure deadline, so Google Project Zero researcher went public with the details of an ACG bypass on Microsoft Edge.

Google disclosed Microsoft Edge security flaw before it could be fixed
Microsoft

Google seems to be gunning for Microsoft again by going public with a vulnerability in Microsoft Edge before Microsoft could develop a patch.

The flaw affects Microsoft's Arbitrary Code Guard (ACG), which Microsoft described a year ago in a post about major security improvements released in the Creators Update of Windows 10. To mitigate arbitrary native code execution in Edge, the Creators Update would use "Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to help break the most universal primitive found in modern web browser exploits: loading malicious code into memory."

Microsoft went on to explain how modern browsers transform JavaScript to native code, but "enabling Just-in-Time (JIT) compilers to work with ACG enabled is a non-trivial engineering task." The Redmond giant "moved the JIT functionality of Chakra into a separate process that runs in its own isolated sandbox. The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages."

When ACG was enabled, "the Windows kernel prevents a content process from creating and modifying code pages in memory by enforcing the following policy: Code pages are immutable. New, unsigned code pages cannot be created."

Flaw allows ACG to be bypassed

However, Google researcher Ivan Fratric discovered how to bypass ACG and reported the flaw to Microsoft last November. The flaw's severity was rated as "medium."

Microsoft was given the standard 90-day disclosure deadline, but it failed to fix the issue.

On Friday, Google Project Zero publicly disclosed "Microsoft Edge: ACG bypass using UnmapViewOfFile."

According to comments posted on the disclosure, The Microsoft Security Response Center replied, "The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues." MSRC was confident, worded as "positive," that the patch would be ready by March 13.

Google Project Zero pointed out that the date exceeded "the 90-day SLA and 14-day grace period to align with Update Tuesdays." Therefore, Google disclosed the flaw.

But the fix may not roll out in the March 2018 Patch Tuesday. Fratric noted that Microsoft wanted to clarify: "Because of the complexity of the fix, they do not yet have a fixed date set as of yet."

So, now the details are in the public domain and cyber thugs can get to work on exploiting it. On the bright side, how many people actually use Edge? NetMarketShare reported that Edge had a browser market share of 4.67 percent in January. Yet for the people that do use Edge, short of changing browsers, they will have to wait on Microsoft to roll out the patch.

Microsoft should expect Google to go public with flaws

This is not the first and will doubtfully be the last time that Google Project Zero goes public with a Windows-related vulnerability when Microsoft fails to meet the 90-day deadline.

Back in 2016, after Google went public with a flaw that could allow an attacker to install a backdoor on Windows users' computers, Microsoft's Terry Myerson was so aggravated with Google that he wrote, "We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google's decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk."

Right or wrong, at this point, Microsoft should expect Google to go public if the disclosure deadline is not met.

NEW! Download the Winter 2018 issue of Security Smart