Google has revealed details of a security vulnerability in Microsoft Edge before a patch has been produced. Through Project Zero, Google notified Microsoft about a bug in the browser's Arbitrary Code Guard (ACG) feature back in November, giving the company the usual 90-day disclosure deadline.
Google went further, granting Microsoft a further grace period of two weeks on request, but the vulnerability remains unfixed in Windows 10. As such, details of the "ACG bypass using UnmapViewOfFile" bug have now been made public.
The entry for the vulnerability on Project Zero explains the potential problem:
If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:
- Unmap the shared memory mapped above above using UnmapViewOfFile()
- Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
- When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.
Google granted Microsoft a 14-day extension to the usual 90-day disclosure period after the company complained that the problem was more complex, and therefore more difficult to fix, than first thought. Having missed the second deadline, the information is now out there for everyone to see.