Wednesday, 8 December 2021

Google disclosed Microsoft Edge security flaw

Microsoft Edge

LONDON: Google seems to be gunning for Microsoft again by going public with a vulnerability in Microsoft Edge before Microsoft could develop a patch.

The flaw affects Microsoft’s Arbitrary Code Guard (ACG) which Microsoft described a year ago in a post about major security improvements released in the Creators Update of Windows 10. To mitigate arbitrary native code execution in Edge, the Creators Update would use “Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to help break the most universal primitive found in modern web browser exploits: loading malicious code into memory.”

Microsoft went on to explain how modern browsers transform JavaScript to native code, but “enabling Just-in-Time (JIT) compilers to work with ACG enabled is a non-trivial engineering task.” The Redmon giant “moved the JIT functionality of Chakra into a separate process that runs in its own isolated sandbox. The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages.”

According to comments posted on the disclosure, The Microsoft Security Response Center replied, “The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.” MSRC was confident, worded as “positive,” that the patch would be ready by March 13th.

Google Project Zero pointed out that the date exceeded “the 90-day SLA and 14-day grace period to align with Update Tuesdays.” Therefore, Google disclosed the flaw.

But the fix may not roll out on March 2018 Patch Tuesday. Fratric noted that Microsoft wanted to clarify “because of the complexity of the fix, they do not yet have a fixed date set as of yet.”

So now the details are in the public domain and cyber thugs can get to work on exploiting it. On the bright side, how many people actually use Edge? NetMarketShare reported that Edge had a browser market share of 4.67 percent in January. Yet for the people that do use Edge, short of changing browsers, they will have to wait on Microsoft to roll out the patch.

Check Also

Cryptocurrencies tumble amid China crackdown

REUTERS/Dado Ruvic/Illustration/File Photo TOKYO – Cryptocurrencies tumbled on Monday as China’s crackdown on bitcoin mining ...

Leave a Reply