Microsoft Fails to Fix Edge Bug on Time - Google Makes It Public
CYBER NEWS

Microsoft Fails to Fix Edge Bug on Time – Google Makes It Public

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Google has revealed details about a flaw in Microsoft Edge browser after Microsoft missed the deadline for fixing it. Google had previously notified Microsoft about the vulnerability in the browser via Project Zero, giving them the usual 90-day disclosure deadline.

Related Story: Microsoft Edge Application Guard Will Protect against the Mimikatz Tool

More About the Unfixed Microsoft Edge Vulnerability

The report was about a bug in Edge’s Arbitrary Code Guard feature, and was released back in November. It should be noted that Google gave extra time to Microsoft – an additional two weeks on request – but despite the extra time the flaw is still existent in Windows 10.

The issue is expected to be fixed in March within the Patch Tuesday bunch of updates. According to experts, the bug is of medium severity and stems from the JIT (Just In Time) compiler for Javascript in Microsoft Edge. The security loophole within the browser could lead to a compromise by predicting the address of processes to be called. Even though the browser’s user share is not that big at all, the issue could still put users at risk, and it is indeed embarrassing that Microsoft is taking so long to address it.

Here is the official description of the bug:

If a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next (note: it is fairly predictable), content process can:
1. Unmap the shared memory mapped above above using UnmapViewOfFile()
2. Allocate a writable memory region on the same address JIT server is going to write and write an soon-to-be-executable payload there.
3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.

Related Story: Stop Cortana from Auto Searching Via Edge Browser and Bing

Wait for March 2018 Patch Tuesday

As mentioned in the beginning, Google gave Microsoft two additional weeks after the latter said it needed more time as the issue was more complex than initially thought. However, Microsoft missed the second deadline and Google went public. Windows 10 users who are running the Microsoft Edge browser should wait for March 2018 Patch Tuesday for a fix.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...