Google exposes security flaw in Microsoft Edge before a patch is ready

[ItsMitch]

Looks like Google and MSFT are having a good time with each other, kind of like that couple that argue over who's cooking dinner this evening..... Let's jump into the news

Source of the day is NeoWin who discovered it on the Chromium forums. 

 

Quote

Google's Project Zero initiative tasks its security researchers with finding flaws in various software products developed by the company itself as well as other firms. Back in 2016, it revealed a serious vulnerability present in Windows 10, and reported a "crazy bad vulnerability" in Windows in 2017.

Now, the firm has disclosed another security flaw in Microsoft Edge, after the Redmond giant failed to fix it in the allotted time.

Back in February 2017, Microsoft stated that it would be using Arbitrary Code Guard (ACG) in Microsoft Edge with the Windows 10 Creators Update to mitigate arbitrary native code execution. Although most modern web browsers rely on Just-in-Time (JIT) compilers, this created complications with ACG, which forced Microsoft to transition the JIT functionality of Chakra into a separate process that runs in an isolated sandbox, which according to the company, was a difficult task to accomplish.

Seems normal I guess, but it starts to go from oh, to oh deary very fast.

Quote

Now, the problem with this technique is that if the content process can predict the address on which the JIT process is going to call its VirtualAllocEx() function next - which can be done fairly easily, according to Google - and it is compromised, the content process can:

- Unmap the shared memory mapped above above using UnmapViewOfFile()

- Allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there.

- When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.

This is understandably a considerable security concern, and one which the Google security researcher has exploited, as detailed in his highly technical debug log which you can view here. In it, the researcher has successfully bypassed ACG and created an executable page in memory.

Microsoft initially classed this as a "Medium" in severity but they wasn't able to fix the problem in the 90 days as Google requested and the flaw went public on the Chromium forum. MSFT did release a small statement with the following. 

Quote

MSRC replied that "The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues. The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays."

So it looks like people are fucked until March 13th for a new patch to be published. 

 

What is it with all these bugs this year? Jesus m'lord.

 

The post on the GPZ can be found: https://bugs.chromium.org/p/project-zero/issues/detail?id=1435

[deXxterlab97]

Microsoft Edge is the browser you use to download Google Chrome

[DrMacintosh]

Any some Microsoft security flaw news! 

[ItsMitch]

Just now, DrMacintosh said:

Any some Microsoft security flaw news! 

$5 this guy loves microsoft bugs  

[SpaceGhostC2C]

It's not the first time someone discloses an unpatched vulnerability after deciding enough time without action has passed. However, I wonder if there's any difference between such step being taken by an independent security researcher, and the same action being taken by the producer of a direct competitor to the software in question. I genuinely don't know what to think: should that matter, or the ethics are the same regardless of who discovers the vulnerability?

[vanished]

Hardly surprising, I don't think people really expect top notch security from Edge.  Certainly better than IE I think but yeah...

 

As for disclosing it before it was fixed, obviously that can be bad but if they don't have a timeline and stick to it, they won't keep these companies honest.  ie if Microsoft knew it wouldn't be disclosed until it was fixed, there wouldn't be much urgency to fix it, but if they know the leak is coming, they have to get on it and that's better for everyone.

[AlTech]

22 minutes ago, Ryan_Vickers said:

Hardly surprising, I don't think people really expect top notch security from Edge.  Certainly better than IE I think but yeah...

 

As for disclosing it before it was fixed, obviously that can be bad but if they don't have a timeline and stick to it, they won't keep these companies honest.  ie if Microsoft knew it wouldn't be disclosed until it was fixed, there wouldn't be much urgency to fix it, but if they know the leak is coming, they have to get on it and that's better for everyone.

Edge is supposed to be somewhat secure. The problem here is both sides should have better communicated.

 

The real issue nobody is talking about imho is the Edge PC Team is nowehere near large enough and they are not delivering innovative features and security patches fast enough.

[Misanthrope]

Seems unwise as I'm sure Microsoft could eventually fire back and point out holes on Android and Chrome before Google plugs them.

[Notional]

Maybe Google should worry more about fixing their own crap, so random games can't extract my fracking passwords:

 

[ItsMitch]

1 minute ago, Notional said:

Maybe Google should worry more about fixing their own crap, so random games can't extract my fracking passwords:

 

I mean, it's not really Google's fault that devs are utter cunts, devs are at fault *MOSTLY*

[Notional]

Just now, SC2Mitch said:

I mean, it's not really Google's fault that devs are utter cunts, devs are at fault *MOSTLY*

It is, however, their fault that a piece of software can even extract the passwords.

[dfsdfgfkjsefoiqzemnd]

12 minutes ago, AluminiumTech said:

Edge is supposed to be somewhat secure. The problem here is both sides should have better communicated.

 

The real issue nobody is talking about imho is the Edge PC Team is nowehere near large enough and they are not delivering innovative features and security patches fast enough.

What is there to communicate about?  Project Zero found a flaw, went through the appropriate channels to inform Microsoft and then waited 90 days as they usually do. 

If 3 months isn't enough to fix a flaw in your own software, perhaps you shouldn't be in the software business to begin with. 

 

The side of Edge's dev team ... well ... who determines the size of that team?  Microsoft. 

So who should have hired more people to begin with so that they could make a browser worth a damn?  Microsoft. 

[paddy-stone]

52 minutes ago, deXxterlab97 said:

Microsoft Edge is the browser you use to download Google Chrome

Only if you don't already have another browser on your server/hard drive etc, or download it with your phone or whatever and copy it over. There are ways to get a different browser without resorting to use the flawed one.

[porina]

Quote

The team IS positive that this will be ready to ship on March 13th, however this is beyond the 90-day SLA and 14-day grace period to align with Update Tuesdays.

Mostly non-news, but this surprised me a bit. I kinda wondered about that, given that MS routine security patch schedule is on 2nd Tuesday of each month, that could mean if Google notified them just after patch day, worst case they only realistically have 2 months to fix it to not have an unpatched exposure gap.

 

Then again, MS have also in the past offered out of cycle updates too, so that could remain a last resort.

[Guest]

1 hour ago, SC2Mitch said:

Microsoft initially classed this as a "Medium" in severity but they wasn't able to fix the problem in the 90 days as Google requested and the flaw went public on the

Not really any of Google's business to dictate how long Microsoft should fix their bugs.

[ItsMitch]

Just now, RorzNZ said:

Not really any of Google's business to dictate how long Microsoft should fix their bugs.

It's their Zero Day policy to disclose the bug after 90 days, I didn't even say that google should dictate? 

[Guest]

1 minute ago, SC2Mitch said:

It's their Zero Day policy to disclose the bug after 90 days, I didn't even say that google should dictate? 

Google shouldn't dictate. Requesting it to be fixed within 90 days is a bad policy to then reveal the flaw to everyone who doesn't know. It is allotting a certian time for them to fix it or they reveal the flaw. Its not a good policy at all and its blatant scare tactics for people to switch to chrome.

[ItsMitch]

2 minutes ago, RorzNZ said:

Google shouldn't dictate. Requesting it to be fixed within 90 days is a bad policy to then reveal the flaw to everyone who doesn't know. It is allotting a certian time for them to fix it or they reveal the flaw. Its not a good policy at all and its blatant scare tactics for people to switch to chrome.

If 3 months isn't enough to fix a "medium" level security flaw then I don't know what is, but judging by your signature imma go with you really don't care or are oblivious to patches. Also stop implying they suggest people to switch to chrome when it wasn't mentioned at all in the report.

[Guest]

1 minute ago, SC2Mitch said:

If 3 months isn't enough to fix a "medium" level security flaw then I don't know what is, but judging by your signature imma go with you really don't care or are oblivious to patches.

So because they havent fixed it, this means Google should post it so people can exploit it? Not really much sense there. My signature doesn't have any relevance to this topic.

[Zodiark1593]

26 minutes ago, paddy-stone said:

Only if you don't already have another browser on your server/hard drive etc, or download it with your phone or whatever and copy it over. There are ways to get a different browser without resorting to use the flawed one.

We should play a game. How many opportunities are presented for security to be compromised between loading up Edga on a freshly installed OS, and downloading Chrome/Firefox/other browser of choice?

[BuckGup]

1 hour ago, deXxterlab97 said:

Microsoft Edge is the browser you use to download Google Chrome

Nah opera 

[RagnarokDel]

Super dick move by GPZ.

[grimreeper132]

1 hour ago, deXxterlab97 said:

Microsoft Edge is the browser you use to download Google Chrome

Yea, I think I use IE more than I use edge (I need it to manage a couple switches I own which can only be connected easily to through IE)

[Bensemus]

1 hour ago, porina said:

Mostly non-news, but this surprised me a bit. I kinda wondered about that, given that MS routine security patch schedule is on 2nd Tuesday of each month, that could mean if Google notified them just after patch day, worst case they only realistically have 2 months to fix it to not have an unpatched exposure gap.

There’s 90 days and also 14 extra days so the patch can line up with a patch Tuesday.

[Sauron]

Why would you use edge anyway?

1 hour ago, Zodiark1593 said:

We should play a game. How many opportunities are presented for security to be compromised between loading up Edga on a freshly installed OS, and downloading Chrome/Firefox/other browser of choice?

Maybe manufacturers should start preinstalling browsers that don't actually suck, as well as disable some of the garbage "apps" and useless features Windows ships with... but I wouldn't be surprised if MS gave them a discount on the licenses specifically to avoid that.

1 hour ago, RorzNZ said:

So because they havent fixed it, this means Google should post it so people can exploit it?

Yes, yes it does. If they didn't, MS would be under no pressure to EVER fix this until someone with less than noble intentions finds it and exploits it, with the user being none the wiser until years later when the exploit is finally identified in the wild by some affected company's security experts. This has happened countless times in the past. Now developers get a grace period of 3 months and if they don't fix their garbage in that time, too bad for them - at least people can make the decision of not using that product if they care about security.