Security researchers at Google's Project Zero have publicised a flaw in Microsoft Edge before a patch has been readied.
The project Zero team notified Microsoft about the vulnerability in its Edge browser Arbitrary Code Guard (ACG) feature last November. It gave the company 90 days to fix the bug.
Microsoft then asked for a further two weeks, telling Google that the “fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues”.
It added that the team is “positive that this will be ready to ship on 13 March, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays."
According to a posting on Chromium.org, if “content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can: Unmap the shared memory mapped above above using UnmapViewOfFile(), allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.”
Last February, Microsoft said that it would put Arbitrary Code Guard (ACG) in Microsoft Edge with the Windows 10 Creators Update to mitigate arbitrary native code execution.
“Since getting malicious code to be inadvertently executed in a targeted machine is the ultimate goal for threat actors, organisations could be at risk as the unpatched vulnerability could allow threat actors to surreptitiously plant or run malicious payloads.”
Arsene added that when the patch becomes available, it's advisable that organisations should quickly install it to prevent attackers from exploiting the vulnerability in the future.
Paul Ducklin, senior technologist, Sophos, told SC Media UK that Google's approach is that 90 days ought to be enough for anyone to fix any security bug, “so after 90 days it's OK to reveal publicly how the bug works”.
“The theory is that by 'dumping' bugs according to an inflexible algorithm, you can never be accused of favouritism by giving some companies more time than others,” he said.
“But there's a somewhat inhuman aspect to bug-dumping-by-numbers - namely that the soulless approach makes no differentiation between a company that's really not trying and has missed the deadline because it simply doesn't care about security, and one that has been trying hard but just hasn't made it in time.”