Google Project Zero has announced the details publicly of an unfixed vulnerability influencing the Edge web browser after Microsoft botched to announce a patch within the specified deadline of 90-day. Project Zero researcher, Ivan Fratric, has set up a way to avoid Arbitrary Code Guard (ACG), which is an additional feature by Microsoft to Edge in Windows 10 Creators Update beside Code Integrity Guard (CIG). All such features were introduced last year in February 2017, which are developed to avoid browser abuses from functioning harmful code.
“An application can directly load malicious native code into memory by either 1) loading a malicious DLL/EXE from disk or 2) dynamically generating/modifying code in memory,” Microsoft explained. “CIG prevents the first method by enabling DLL code signing requirements for Microsoft Edge. This ensures that only properly signed DLLs are allowed to load by a process. ACG then complements this by ensuring that signed code pages are immutable and that new unsigned code pages cannot be created.”
Google Project Zero researcher showed that the ACG attribute can be avoided and notified Microsoft of his discoveries on or around last year November 17, 2017. The organization had primarily scheduled on fixing the vulnerability with its February Patch Tuesday updates, but afterwards discovered that “the fix is more complex than initially anticipated.”
Now, Microsoft assumes to announce a patch on March 13, 2018; but the date overdoes Google Project Zero’s 90-day divulgence deadline so the facts of the vulnerability have been exposed publicly. Project Zero has categorized the patch as having “medium” seriousness.
The Project Zero has not been exposed for the first time, as an unfixed vulnerability set up by the Google Project Zero researcher, Fratric in Microsoft’s web browsers. Last year in February 2017, it revealed the details publicly and Proof-of-Concept (PoC) code for a high seriousness type misperception matter that could have been oppressed to damage Internet Explorer and Edge, and perhaps even function random code. The security flaw, pursued as CVE-2017-0037, was patched in March 2017 by Microsoft, about two weeks after it was exposed. The Project Zero researcher is the originator of a fuzzer named Domato, which last year assisted him reveal tens of vulnerabilities in famous web browser search engines.