New Microsoft Edge security features were just bypassed, opening door for exploits

A security mitigation in Microsoft Edge was cracked by researchers at Google Project Zero, specifically targeting out-of-process JIT implementations.

5 quick tips for online safety

Researchers at Google's Project Zero have bypassed Microsoft Edge security features that Microsoft designed to prevent the execution of malicious code.

Created to replace the aging Internet Explorer web browser, Microsoft Edge was built with security in mind. As is often the case with large software projects like a web browser, oversights occur, and in this case it is a big one.

The exploit involves attacking a flaw in how Microsoft designed Edge's arbitrary code mitigation defenses. In order to build Edge's defenses Microsoft had to reconfigure a fundamental part of modern web browser architecture: Just-In-Time (JIT) JavaScript compiling.

JIT involves translating JavaScript into native browser code for faster execution. Edge's arbitrary code defenses made it incompatible with JIT, so Microsoft moved JIT to its own isolated process. That's where things break down.

Edge's great idea and poor execution

The best way to understand how Project Zero engineers cracked Edge's security is to understand the basics of how it works.

Microsoft tackled arbitrary code mitigation with two interdependent processes: Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG). CIG requires all DLLs entering Edge's content process to be signed and verified.

CIG doesn't prevent modification of signed DLLs once loaded--that's ACG's job. Once CIG verifies code ACG keeps an eye on it to make sure nothing gets injected while it's running.

SEE: Incident response policy (Tech Pro Research)

CIG and ACG also depend on Content Flow Guard (CFG), which restricts where applications can execute code from. CFG is ideally another layer of protection to prevent injection.

The CIG, ACG, and CFG structure creates issues for JIT, which Microsoft moved into a separate siloed process as a workaround.

The Project Zero team discovered weaknesses in CFG that made it possible to inject code into JIT, which could then be passed along to ACG without it being any the wiser. The end result was the ability to run malicious code--the very thing that Edge was designed to prevent.

ACG, Project Zero said, does do its job of preventing arbitrary code execution. "However, due to mutual dependence of CFG, ACG and CIG and the shortcomings of CFG in Microsoft Windows, ACG alone can't be sufficient to stop advanced attackers from escaping a browser's sandbox and mounting other attacks."

What businesses using Edge need to do

Project Zero said that weaknesses it discovered in Microsoft's siloed JIT have been patched, but it doesn't say whether the method it described is still functional. It's safer to assume that such an exploit is still possible, and the team released its PoC for anyone who wants to test it.

Businesses using Microsoft Edge, or any other browser for that matter, shouldn't rely on built-in security to solve all their problems. It's better to not encounter malicious code at all if it can be avoided.

Good browsing habits, script blockers, and other browser extensions can do a lot to protect computers from online threats. Edge's defenses, and those built into other browsers, should be considered a last line of defense.

The big takeaways for tech leaders:
  • A vulnerability in the structure of Microsoft Edge's arbitrary code execution prevention makes it possible for attackers to bypass it and inject malicious code.
  • Instead of relying on built-in protection to stop internet threats, users should do everything they can to defend themselves, including using safe browsing habits and installing security-focused browser extensions.

Also see

Image: Microsoft