Arbitrary Code Resolved


A new method to bypass ACG was found by a Google Project Zero researcher called Ivan Fratric which was made public and Microsoft was unable to save the updated devices from this feature that was added on Edge.

This feature allows many browsers to alter a safe memory into a method of running some random codes on specific devices, which made the attacker capable of making his move on the device much easier and more facilitated. However, a successful defense could be made without even knowing the history of the attack by preventing those random codes from being executed.
Recently, a blog was published to demonstrate the usage of ACG and CIG where the researchers clarified “An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying the code in memory. CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge.” Further, it was stated “This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.”

Fratric’s Bypass

The security features were bypassed via the Just in Time (JIT) compiler for Javascript. The process has been described by Fratric in the disclosed report as:
The JIT compiler was able to surpass the security features and that was described in Fratric’s report.
• Unmap the shared memory mapped above using UnmapViewOfFile()
• Allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there.
• When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.”

Microsoft’s Poor Deadline History

Unfortunately, Project Zero has faced many safety issues in Microsoft’s browser. Fratric has mentioned many bulnerabilites that could have caused disasters for Internet explorer and Edge. As usual, Microsoft could not cope with the deadline.

Consensus Non-Existent

Vulnerability deadlines have always caused a major problem to many companies, and that will be the case forever because companies and researchers do not agree on the specific responsible vulnerability disclosure. Google is never strict since it always mention that the deadline is 90 days and it could be extended to 104 days if you are able to attach the granted extension. CERT gives 45 days only while Zero Day Initiative gives around 120 days, which makes it very lenient.

Related Article: Russia is accused by UK Points for NotPetya Attacks