...The flaw affects Microsoft’s Arbitrary Code Guarantee (ACG) that aims to mitigate arbitrary native code execution. ACG forced Microsoft to move its JIT (Just-in-Time) functionality into a separate process, effectively running it in an isolated sandbox. Google explained how the flaw works, by predicting the address that the JIT process calls itsVirtualAllocEx() function:

  1. Unmap the shared memory mapped above above using UnmapViewOfFile()
  2. Allocate a writable memory region on the same address JIT server is going to write and write a soon-to-be-executable payload there.
  3. When JIT process calls VirtualAllocEx(), even though the memory is already allocated, the call is going to succeed and the memory protection is going to be set to PAGE_EXECUTE_READ.

It is important to note that the bug has been classified as a "Medium" severity flaw and was disclosed to Microsoft by Google in November 2017. The standard 90-day-deadline was awarded to the company to fix the issue before it was disclosed to the public.

According to the Microsoft Security Response Center (MSRC), the problem turned out to be more complex than initially believed, due to which it was given an additional 14-day grace period by Google. Although the company missed this deadline in its February Patch Tuesday too - which forced Google to make the flaw public - Microsoft is confident that it will resolve the issue by March 13, aligning the shipment of the fix with the Patch Tuesday in March.


Read more: Google exposes security flaw in Microsoft Edge - Neowin