In its disclosure of the security flaw, Google said it is possible for an attacker to predict where the JIT process is going to call a function used to allocate individual pages before they are written to.
The function is named VirtualAllocEx().
Once the attacker predicts on which address VirtualAlloxEx() is going to be called next, they can:
- Unmap the shared memory mapped above using UnmapViewOfFile().
- Allocate a writable memory region on the same address JIT server is going to write, and write a soon-to-be-executable payload there.
- When the JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.
Google originally gave Microsoft 90 days to fix the issue, but Microsoft’s Security Research Centre said the issue is more complex than first thought.
Google did not extend its 14-day grace period after the 90-day deadline.