Windows 10 security: Google exposes how malicious sites can exploit Microsoft Edge

Microsoft misses Google's 90-day deadline, so Google has published details of an exploit mitigation bypass.
Written by Liam Tung, Contributing Writer

Video: Job-offer malware linked to North Korea chases bitcoin boom

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge.

The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory.

However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task".

"The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says.

Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Its 'ACG bypass using UnmapViewofFile' allows a compromised content process to predict which address a JIT process is going to call VirtualAllocEx() next, and for the content process to "allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there".

Google reported the medium-severity issue to Microsoft in mid-November and published details of the bypass yesterday as it had passed its 90-day deadline.

Microsoft confirmed the ACG bypass in a response to Google at some point to February's Patch Tuesday. It appeared to have been aiming to fix the issue by then but found it to be "more complex" than initially thought. It's now targeting Patch Tuesday in March for a fix.

"The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues," Microsoft said.

"The team IS positive that this will be ready to ship on March 13, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays."

Previous and related coverage

Windows security: Microsoft issues Adobe patch to tackle Flash zero-day

Microsoft is protecting Windows users from a Flash Player flaw exploited by suspected North Korean hackers.

Microsoft says hackers have exploited zero-days in Windows 10's Edge, Office, IE; issues fix

Microsoft's October Patch Tuesday is a reminder why you shouldn't click links or open attachments from unknown senders.

Windows patches: Microsoft kills off Word's under-attack Equation Editor, fixes 56 bugs

Microsoft removes Equation Editor from Word after finding more attacks on Office users.

Editorial standards