Google has gone public with details about a Microsoft Edge vulnerability that attackers could abuse and bypass one of the browser's security features —Arbitrary Code Guard (ACG).
ACG is a relatively new feature added to Edge's security model. Microsoft added support for ACG in Edge in April 2017, with the release of the Windows 10 Creators Update.
ACG was the second of two new features that Microsoft said would prevent attackers from using JavaScript to load malicious code into a computer's memory via Edge. Microsoft described the two new security features in a blog post last year. A summary of ACG and Code Integrity Guard (CIG) is below:
Google engineer finds ACG bypass
Ivan Fratric, a security engineer with Google's Project Zero team, has discovered a way to bypass ACG and allow an attacker to load unsigned code in memory, allowing attackers a way into Windows boxes via malicious websites loaded via Edge.
Fratric reported the issue to Microsoft last November, in a private bug report, but the deadline for fixing the bug passed.
"The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues," Microsoft told Fratric.
"The [Microsoft Edge] team IS positive that this will be ready to ship on March 13th," Microsoft added.
Second Edge bug Fratric has discovered
Details about this issue are now public. This is not the first time that Fratric has publicly disclosed a bug in Edge, doing so in February last year.
Fratric is also the author of Domato, a fuzzing tool for discovering security flaws in browser engines.
Comments
cat1092 - 6 years ago
Good to hear that someone's policing Microsoft other than themselves! In doing so, should prevent another large scale scandal like Intel pulled for a couple of decades.
We need more to find and disclose these vulnerabilities ASAP after finding & confirming the issue(s) are legit. No 'cooling off' period, this only allows for a fast Band-Aid type of fix, rather than long term ones, which happens to be what we need more of.
Cat
Negano - 6 years ago
Everyone's paying too much attention to Microsoft's product these days. I, for one, was not surprised and I don't care - because I don't use Edge.
https://software.informer.com/Stories/doubts-about-microsoft-edges-security.html
I have no doubts, I gave up on MS products long ago.