Microsoft Web Browser Edge hosts a moderately-rated vulnerability in the Just In Time Compiler (JIT Compiler) for Javascript.After the group could not solve the problem even after 105 days after the gap was revealed, Google has now published the vulnerability.

Edge Vulnerability

Back in November 2017, security researchers from Google’s Project Zero tracked down the vulnerability in the JIT Compiler in Edge and reported it to Microsoft. In fact, companies have secured a 90-day deadline for such cases until the discoverers of such security-related issues publicize the vulnerabilities. Google had granted Microsoft 105 days in this case, which is related to the update cycle of Edge – but more days than that have passed.

The Project Zero team has now released the details of the open bypass for an exploit protection technique. It is an interaction of the Arbitrary Code Guard (ACG) technology used from the Windows 10 Creators Update which should provide protection against attacks from the Internet. If an attempt is made to load malicious code into the memory, the ACG will turn on. This defense should ensure that only correctly signed code can be mapped into memory. However, there is a problem in conjunction with the just-in-time (JIT) compiler, which as a rule runs native code, sometimes unsigned, in a content process.

Also Read: Microsoft edge converts Chrome extensions in Windows 10

The vulnerability circumvents this capability, but, as Google’s Project Zero found out, the problem arises because the JIT process writes executable data to the content process. To make sure that JIT compilers work with ACG enabled, Microsoft has integrated Edge’s JIT compilation into a separate process that runs in its own sandbox. According to Microsoft, this step was “a non-trivial engineering task”, which is now the main reason why the vulnerability can not be resolved so quickly.

Also Read: Microsoft Acknowledges Surface Book 2 Has Power Problems

There is also an official statement from Microsoft. It states, among other things, that the fix is more complex than initially thought and it is very likely that a release date in February due to the memory management problems can not be met. “The team is confident that they will finish on March 13, but this is beyond the 90-day SLA and the 14-day deadline to adapt to the monthly updates.” This is of course the patch-day, which is planned on the second Tuesday of each month.

Source

Leave a Reply