Google today disclosed a vulnerability in Microsoft Edge that has not been patched by Microsoft yet. The vulnerability makes it possible to circumvent a security measure from the Microsoft's default browser in Windows 10. The security measure that can be circumvented is called Arbitrary Code Guard (ACG).
ACG is a security measure that prevents an attacker from loading malicious code in memory. Combined with Code Integrity Guard it should make sure that only signed code be loaded in memory. Because this causes issues with Javascript Just-In-Time (JIT) compilers that convert Javascript to native code, Microsoft has moved that to a separate process that runs in its own isolated sandbox.
The isolated JIT process is responsible for compiling Javascript into native code and mapping it in the content process that requests it. This way the content process can never load or change its own JIT code pages. Nevertheless, a security researcher from Google reports he found a way to make the JIT process write unsigned data to the content process.
Google rates the impact of the vulnerability as "medium" and warned Microsoft about the issue on the 17th of November last year.
Microsoft answered that a fix for the issue would be very complex. The company also stated it would be unable to fix the issue before Google's initial deadline would expire. Vulnerabilities found by Google have a 90-day deadline after which they are disclosed. This period can be extended with two weeks. Microsoft was unable to fix the issue in both the initial and extended period and therefore Google made the vulnerability public today.
Although Microsoft was unable to meet Google's deadline, the company has stated it hopes to release a patch for the issue with March's Patch Tuesday.
