Microsoft Edge is the latest web browser from Microsoft and is available as a part of Windows 10. It’s supposed to be a better browser than the previous generation – Internet Explorer. It successfully improved the browsing experience and performance than traditional Internet Explorer. However, Google recently figured out a new vulnerability that websites can use to exploit Edge browser for illegal behaviors.
How it works
Google’s Project Zero team discovered the flaw within an important exploit mitigation technique in Edge. That flaw can bypass the security check. ACG (Arbitrary Code Guard) is used in Edge that helps to thwart malicious codes from loading into memory. Using this defense system, the target is to ensure that only properly signed codes can load into memory. However, this process is very troublesome while working with JIT (Just-in-Time) compilers used in the modern browsers.
JIT compilers translate the codes of JavaScript into native code to run faster and smoother. It doesn’t check the sign of the code, allowing some unsigned codes to run in a content process. In order to make JIT compilers work with ACG, Microsoft programmed JIT compiling to run in its own, isolated sandbox. Microsoft claimed that it was a significant achievement.
The issue is in the way that the JIT compilers build executable data into the content process. A compromised content, using “ACG bypass via UnmapViewofFile”, can predict the address which a JIT process is going to call VirtualAllocEx() next. It also allows to allocate a writable memory region on the same address JIT server’s going to write and create a soon-to-be-executable payload there.
Google informed Microsoft about this medium-severity issue in mid-November. After Google’s 90-day deadline passed, Google revealed the details about the bug. Microsoft confirmed the ACG bypass in response to Google to February’s Patch Tuesday. It seemed that the patch was targeted for the issue. However, Microsoft said that the bug was a more complex one than they primarily thought. Now, Microsoft targets to release security patch in Patch Tuesday in March.
How to stay secured
For Microsoft Edge users, it’s the best, for now, to avoid using the browser. The bug is publicly available and so, available to cybercriminals at the same time. They’re more likely to take the situation to their advantage. Microsoft’s fix is also quite late to provide any protection against such attacks.
That’s why it’s the best to use other popular & alternative web browsers, for example, Google Chrome, Mozilla Firefox, Opera etc. For an additional defense layer, get the best antivirus software of 2018.