Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Discloses Unpatched Vulnerability in Edge Web Browser

Google Project Zero has made public the details of an unpatched vulnerability affecting the Edge web browser after Microsoft failed to release a patch within a 90-day deadline.

Google Project Zero has made public the details of an unpatched vulnerability affecting the Edge web browser after Microsoft failed to release a patch within a 90-day deadline.

Google Project Zero researcher Ivan Fratric has found a way to bypass Arbitrary Code Guard (ACG), a feature added by Microsoft to Edge in Windows 10 Creators Update alongside Code Integrity Guard (CIG).

The features, introduced in February 2017, are designed to prevent browser exploits from executing malicious code.

“An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory,” Microsoft explained. “CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.”

Fratric showed that the ACG feature can be bypassed and informed Microsoft of his findings on or around November 17. The company had initially planned on patching the vulnerability with its February Patch Tuesday updates, but later determined that “the fix is more complex than initially anticipated.”

Microsoft now expects to release a fix on March 13, but the date exceeds Google Project Zero’s 90-day disclosure deadline so the details of the vulnerability have been made public. Project Zero has classified the flaw as having “medium” severity.

This is not the first time Project Zero has disclosed an unpatched vulnerability found by Fratric in Microsoft’s web browsers. In February 2017, it made public details and proof-of-concept (PoC) code for a high severity type confusion issue that could have been exploited to crash Internet Explorer and Edge, and possibly even execute arbitrary code.

The security hole, tracked as CVE-2017-0037, was fixed by Microsoft in March 2017, roughly two weeks after it was disclosed.

Advertisement. Scroll to continue reading.

Fratric is the creator of a fuzzer named Domato, which last year helped him uncover tens of vulnerabilities in popular web browser engines.

Related: SOP Bypass in Microsoft Edge Leads to Credential Theft

Related: Microsoft Patches Flaws in Windows, Office, Edge

Related: Microsoft Extends Edge Bounty Program Indefinitely

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.