Windows 10 security: Google Project Zero shreds Microsoft's unique Edge defense

Google Project Zero says Microsoft's Arbitrary Code Guard in Edge fails where Chrome's site isolation succeeds.
Written by Liam Tung, Contributing Writer

Video: When it comes to malware, Windows 10 is twice as secure as Windows 7

Microsoft has heavily promoted the advances it's made in Windows 10's built-in exploit mitigations to encourage enterprise adoption, but Google's Project Zero isn't convinced key defenses can stand up to advanced hackers.

Project Zero researcher Ivan Fratric has released a white paper detailing the group's work on undermining Windows 10 Creators Update feature Arbitrary Code Guard (ACG), when applied to Microsoft Edge.

Currently ACG exploit mitigation is exclusive to Edge and aims to prevent advanced attackers from executing malicious code in memory if they've already compromised a content process in the browser.

Fratric in February published details of an ACG Edge bypass before Microsoft was able to fix the issue because it had exceeded the group's strict 90-day deadline.

The bypass undermined -- and helped Microsoft improve -- a customization Microsoft developed to ensure Edge's Just in Time (JIT) JavaScript compilers worked with ACG enabled.

See: 20 pro tips to make Windows 10 work the way you want (free PDF)

The solution required considerable effort on Microsoft's part and involved putting Edge's JIT engine in its own sandboxed process, separate from the browser's content processes.

The defense should ultimately stop advanced attackers escaping Edge's sandbox. However, Fratric found that while ACG generally stands up to the task, it and another feature called Code Integrity Guard, are let down by a further Windows 10 exploit mitigation feature called Control Flow Guard (CFG).

Fratric contends that for ACG to be successful at blocking all attacks, ACG, CIG and CFG all need to be impervious to bypasses. But that's not the case with CFG, and in some attack scenarios Chrome's site-isolation feature would be harder to bypass than Edge with ACG enabled, according to Fratric.

"Currently, with a lot of known bypasses, bypassing CFG in Windows is not difficult. However, should Microsoft be able to fix all the known weaknesses of CFG, including adding the return flow protection, the situation might change in the next couple of years. As Microsoft already showed intention to do this, we believe this is their long-term plan," he notes.

He continues later: "ACG does succeed to fulfill its purpose of preventing executable memory from being allocated and modified. However, due to mutual dependence of CFG, ACG and CIG and the shortcomings of CFG in Microsoft Windows, ACG alone can't be sufficient to stop advanced attackers from escaping a browser's sandbox and mounting other attacks."

Google's Chrome developers see site-isolation, which involves running each site in its own sandboxed process, as the key difference between Edge and Chrome on the exploit-mitigation front. The problem with site isolation is that it causes between 10 and 20 percent higher memory usage.

However, overall Fratric believes that Microsoft's customizations that enabled ACG for Edge are inherently flawed.

"While the paper focuses on Microsoft Edge, we believe that any other attempt to implement out-of-process JIT would encounter similar problems," Fratric notes in a blogpost.

ZDNet has contacted Microsoft for its comments and will post its response should one be received.

Previous and related coverage

Windows 10 security: Google exposes how malicious sites can exploit Microsoft Edge

Microsoft misses Google's 90-day deadline, so Google has published details of an exploit mitigation bypass.

Windows 10 bug: Google again reveals code for 'important' unpatched flaw

For the second time in a week, Google reveals another unpatched Windows 10 vulnerability.

Linux security: Google fuzzer finds ton of holes in kernel's USB subsystem

A Google-developed kernel fuzzer has helped locate dozens of Linux security flaws.

Google reveals trio of speculative execution flaws, says AMD affected

CPUs can leak data when unwinding unused speculative execution paths.

Editorial standards