Google discloses vulnerability in Microsoft Edge

Google has disclosed a security flaw affecting the Edge browser’s JavaScript just-in-time (JIT) compiler, The Verge reported.

The issue stems from a change Microsoft unveiled when it moved just-in-time compiling from its Chakra JavaScript engine to a separate process.

It made the change to improve the security of the browser and defend against arbitrary code execution exploits that might emerge out of compiling JavaScript to a machine’s native code.

In its disclosure of the security flaw, Google said it is possible for an attacker to predict where the JIT process is going to call a function used to allocate individual pages before they are written to.

The function is named VirtualAllocEx().

Once the attacker predicts on which address VirtualAlloxEx() is going to be called next, they can:

  1. Unmap the shared memory mapped above using UnmapViewOfFile().
  2. Allocate a writable memory region on the same address JIT server is going to write, and write a soon-to-be-executable payload there.
  3. When the JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.

Grace period

Google originally gave Microsoft 90 days to fix the issue, but Microsoft’s Security Research Centre said the issue is more complex than first thought.

Google did not extend its 14-day grace period after the 90-day deadline.

Now read: Microsoft Edge now available on Android and iOS

Latest news

Partner Content

Show comments

Recommended

Share this article
Google discloses vulnerability in Microsoft Edge