igor - Fotolia
Project Zero has a controversial policy of giving software producers 90 days to fix any vulnerability its researchers find before going public, in an attempt to ensure a swift response.
In November, Project Zero researchers discovered a flaw in Edge that, if exploited, could enable attackers to bypass Microsoft’s Arbitrary Code Guard (ACG) to inject and execute malicious code.
ACG and Code Integrity Guard (CIG) was Microsoft’s response to the fact that most modern browser exploits attempt to transform a memory safety vulnerability into a method of running arbitrary native code on a target device.
While CIG is designed to allow only properly signed images to load, ACG is designed to prevent a content process from creating and modifying code pages in memory, but as Project Zero researchers point out, to implement ACG, Edge uses a separate process for just-in-time (JIT) compiling.
This JIT process is also responsible for mapping native code into the requesting content process. This is achieved by creating a shared memory object using CreateFileMapping(). This object is mapped into the content process as PAGE_EXECUTE_READ and in the JIT process as PAGE_READWRITE using MapViewOfFile2().
At this point the memory is reserved, but not yet committed. When individual pages need to be written to they are first allocated using VirtualAllocEx(). This also marks the memory as committed.
But if a content process is compromised and the content process can predict on which address JIT process is going to call VirtualAllocEx() next, which is “fairly predictable” according to Project Zero, the content process can unmap the shared memory, allocate a writable memory region on the same address the JIT server is going to write, and write a soon-to-be-executable payload there.
When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ, according to Project Zero researchers.
Although Project Zero classified the threat as “medium” the researchers have shown that it can be exploited to bypass ACG and create an executable page in memory.
Microsoft was given the standard 90-day period to issue a security patch for the vulnerability, but was given a 14-day extension to the deadline due to the complexity involved in resolving the issue.
Read more about responsible disclosure
- Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
- Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
- Is 90 days enough time for software suppliers to address vulnerabilities?
However, Project Zero went public after Microsoft missed this extended deadline and failed to issue a patch in its February security updates.
Microsoft is now reportedly expected to release patch to fix the issue on 13 March when its next monthly security update release is due.
Project Zero has come under fire in the past for disclosing vulnerabilities before software suppliers have issued a patch. Critics have said the policy exposes users of the affected software to attacks unnecessarily.
Microsoft has consistently campaigned for researchers to disclose vulnerabilities only to software suppliers, saying that “responsible disclosure” to suppliers without further disclosure helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability.