Google discloses Microsoft Edge vulnerability without a patch
Google's Project Zero publicly published an Edge browser vulnerability after the 90-day disclosure deadline expired, and Microsoft has yet to patch the flaw.
Google's Project Zero publicly disclosed a Microsoft Edge vulnerability that could enable attackers to bypass a security feature.
Microsoft Edge, the new and improved web browser from the software giant, uses a security feature called Arbitrary Code Guard or ACG. The feature was introduced with the Windows 10 Creators Update with the intention to stop attacks that use JavaScript to try to load malicious code into memory through Edge. ACG is supposed to make sure only properly signed code gets mapped to memory. When Microsoft introduced this security feature in a blog post last year, along with its counterpart, Code Integrity Guard, it said it was meant to ensure "that signed code pages are immutable and that new unsigned code pages cannot be created."
Google Project Zero researcher Ivan Fratric, however, discovered an issue with just-in-time (JIT) compilers that makes ACG vulnerable. Despite Microsoft's initial assertion in its blog post that enabling JIT compilers to work with ACG is "a non-trivial engineering task," Fratric found the Microsoft Edge vulnerability is created by the way the JIT process writes executable code into the content process.
The Microsoft Edge vulnerability was reported to Microsoft in November; Google publicly disclosed the flaw Saturday after Microsoft has exceeded Google's 90-day deadline to patch the flaw. Initially, the patch for the ACG flaw was expected in Microsoft's February Patch Tuesday release, but it never happened.
Last week, Fratric updated his findings with a message from the Microsoft Security Response Center that said, "The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays."
A few days later, Fratric posted a follow up comment and noted that the patch doesn't actually have a release date. "MSRC reached out to me to to clarify that, because of the complexity of the fix, they do not yet have a fixed date set as of yet [sic]," he said.
Fratric also noted that the vulnerability would not be easy to exploit.
"This issue is a security mitigation bypass and cannot be exploited on its own," Fratric said. "An attacker would first need to exploit a separate vulnerability to gain some capabilities in the Edge content process (such as the ability to read and write arbitrary memory locations), after which they could use this vulnerability to gain additional capabilities (namely, the ability to run arbitrary machine code)."
This is not the first time a Microsoft has had difficulties meeting Google's 90-day patching deadline for web browser flaws.
In one week last February, Google Project Zero released two vulnerabilities in Edge and Internet Explorer without known fixes. This happened after Microsoft canceled that month's Patch Tuesday release in an unprecedented move and thus missed the deadline set by Google. The same researcher, Fratric, had found a type-confusion vulnerability in Internet Explorer and in some case in Edge. With this critical Edge vulnerability, Fratric commented that he "really didn't expect this one to miss the deadline" and didn't provide many details on how to exploit it.
Microsoft reportedly asked Google to extend its disclosure deadline after this incident, but Project Zero has not wavered. Google had previously altered its disclosure policy in 2015 after another disagreement with Microsoft; the policy changes included the addition of the aforementioned two-week "grace period" for scheduled patch releases following the expiration of the 90-day deadline.