Google Exposes How Malicious Sites Can Exploit Microsoft Edge

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Here's an idea.

Let's ditch Javascript and go back to usable websites that don't require a fucking quad core CPU and 8GB of RAM just to view.

It's hard to exploit something when you can't run arbitrary code on it at all. "But muh infinite scrolling-" fuck your infinite scrolling. I've yet to see a website implement that properly where my browser tab didn't land up consuming 4 fucking gigabytes of RAM after 20 or so pages of stuff. God forbid I should refresh the page, lest I lose my position within your endless stream of crap content and advertisements.

The most usable websites I've seen these days are the ones that actually have pages I can click through, layout things in a clean and logical manner, and don't feel the need to animate every fucking widget that appears on the screen. Case in point:

http://www.motherfuckingwebsite.com

Re:Here's an idea.

Thank you. I've occasionally ranted against javascrap since 1998, but as usual, nobody listens.

I try to browse with javascript OFF, using OldOpera. I tried promoting Opera here on /. for many years and as usual, nobody listens.

Maybe everyone likes the whole ecosystem of codebloat, and constant breakages and fixes. Maybe it's a self-sustaining system.

Anyway, the point I wanted to make: you'd be surprised, maybe sickened, at how much your browser can be manipulated by css with javascript OFF.

Re:Here's an idea.

1. create a dom.
2. set styles.
3. without HTML, update the CSS of a div to hide/show

I'll be here waiting when you have a method for dynamically updating a DOM or hiding/displaying elements.

But..but...'state' you say. 'cookies' and 'page refreshes'. Yes, but then again a horse can pull a cart too and requires a less fucking energy to do it. Lets go back to horses and carts you say?

Re:Here's an idea.

[gnick]

I tried promoting Opera here on /. for many years and as usual, nobody listens.

I like Opera, but you're not going to find many users here. The few there were abandoned it when it was sold to the Chinese in 2016. For some reason, people don't trust the Chinese. People have looked pretty hard at it and the code was even leaked last year, but for some reason people trust MS & Google more than "Golden Brick Capital Private Equity Fund I Limited Partnership".

Re:Here's an idea.

[Viol8]

For good or bad, most people know where MS & Google are coming from and (windows 8 jokes aside) know they wouldn't deliberately put malicious code in their software. Some anonymous chinese company no one has ever heard off which could easily be yet another chinese government front is a whole other kettle of stinking fish.

Re:Here's an idea.

[gnick]

You're suggesting that "Golden Brick Capital Private Equity Fund I Limited Partnership" could be a shell? Surely you jest!

It's like they didn't even try.

Re:Here's an idea.

Because literally the only thing JavaScript is used for is infinite scrolling...

Re:Here's an idea.

[Merk42]

You could show/hide with checkboxes utilizing the :checked pseudo selector, but that's hacky.
You could also use <details> and <summary> if your browser supports it.

Any other DOM manipulation, say, getting only updated content via JSON and only updating that part of the page instead of a full page refresh, you're SOL.

Re:Here's an idea.

[DarkOx]

You realize Opera is just webkit now. So there is no point really. You might as well just use chromium

Re:Here's an idea.

Let's ditch Javascript and go back to usable websites that don't require a fucking quad core CPU and 8GB of RAM just to view.

It's not like you can't. Go ahead and do that on whatever websites you run. Yes, it's a good idea.

That's definitely an option for amateur websites. Amateurs can make good websites.

The problem is that pros can't. A pro's website is required to suck. If it doesn't suck yet, then it's broken. Because someone pays the pros, and that someone wants things to look and act a certain way. They aren't thinking about the web; they aren't thinking about whether or not it's a good idea to download and run untrustable code whenever you load a page, etc. They're thinking about having it be like whatever their vision happens to be. They're thinking about building user interfaces instead of presenting information and using the browser's already-existing UI.

Re:Here's an idea.

Here is one of many ways https://codepen.io/anon/pen/YeEoJB and Merk42 gave another.

Re:Here's an idea.

...most people know where MS & Google are coming from and (windows 8 jokes aside) know they wouldn't deliberately put malicious code in their software.

Ha, ha, ha, ha, ha!

Re:Here's an idea.

[TheRaven64]

I do precisely this on my work web page to show and hide abstracts and bibliography entries on my publications page. I use a hidden checkbox and adjust the style of the hidden divs based on the state of the checkbox. Oh, and CSS animates it for me as well.

To be fair, it's a pretty hacky solution and the JavaScript is a bit cleaner. That said, JavaScript is a general purpose programming language and is seriously overkill for something like this. Most of the things that I actually want people to be using JavaScript for on a web page could be solved by adding a checked state to all clickable DOM elements and using CSS selectors.

Note that CSS is now incredibly complex, and WebKit even includes a JIT for it, so it's not clear that it actually has a smaller attack surface.

Re:Here's an idea.

I tried promoting Opera here on /. for many years and as usual, nobody listens.

I like Opera, but you're not going to find many users here. The few there were abandoned it when it was sold to the Chinese in 2016. For some reason, people don't trust the Chinese. People have looked pretty hard at it and the code was even leaked last year, but for some reason people trust MS & Google more than "Golden Brick Capital Private Equity Fund I Limited Partnership".

O/P here- I was referring to 1998-2005 era. I specifically typed "OldOpera", meaning pre-Chrome / pre-China. "Presto" engine. Nothing's perfect but the ability to store per-site controls for javascript, cookies, plugins, etc., sold me, and I still use it as much as I can. I was, and am still surprised at how few "techies" used it, but then, I'm pretty cynical about most people who have flooded into the tech world...

Re:Here's an idea.

[fisted]

From http://www.motherfuckingwebsite.com:

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');

ga('create', 'UA-45956659-1', 'motherfuckingwebsite.com');
ga('send', 'pageview');
</script>

Don't worry everyone APK will be along shortly

Don't fear everyone APK will be along shortly to tell us all that hosts stops all these attacks now and how NoScirpt sucks. He will then call people fake names, near-do-wells, Soros puppets, and do nothings.

Re:Don't worry everyone APK will be along shortly

That would be ne'er-do-wells

Re:Don't worry everyone APK will be along shortly

[TheFakeTimCook]

That would be ne'er-do-wells

I have always mistrusted a contraction that really doesn't "contract" anything. All that one does is replace the letter "v" with an apostrophe. What's the point?

Other than to "sound" like some Scottish Git when you say it in your head... (and I am of Scottish descent; so I can say that!)...

Not an electron microscope story. Did you mispost?

/. hasn't published an electron microscope story in probably a year or two.

I love the way Google pretend to be...

[Viol8]

... the white knights here, saving us from big nasty MS and its bugs. As if android and chrome are bug free, yeah right. Oh, and chrome also requires (on linux, don't know about other OS's) a sandbox process running with root privs. Hows that for a potential exploit - a browser component that requires root. Nice design google! But hey, I'm sure your sandbox code is 100% bug free, right?

Re:I love the way Google pretend to be...

Chrome is not run as root, start it up and see what user it is running as.

Re:I love the way Google pretend to be...

In the past, chrome actually used setuid to construct a secure chroot sandbox environment. However, today setuid no longer used, as they are always developing more modern sandboxing techniques with the state of the art.

Also, to your comment, if you think checking for root privileges is as simple as checking what user a process is running as, you are sorely mistaken at the complexity involved under the hood, Forgetting for a second the fact that programs like chrome actually consist of tens of processes each running with different privilege levels, processes can gain elevated privileges without actually having a uid or effective-uid of root. For example, capabilities, open file descriptors or other handles passed in. It's very difficult to display setcap capabilities granted to a given process.

Responsible disclosure?

These are the same folks that broke the Spectre and Meltdown disclosure embargo 6 days before patch Tuesday. That out of band release cost tens of millions of dollars, not to Microsoft, but to the companies that had to break normal procedures and deploy off-cycle patches.

You may think you're being helpful, Google, but you're being dicks. It's exposing your users to unnecessary risks.

Re:Responsible disclosure?

That out of band release cost tens of millions of dollars, not to Microsoft, but to the companies that had to break normal procedures and deploy off-cycle patches.

Bah. You think it got 'more dangerous' because spectre was disclosed? Quite the contrary.

6 days is hardly enough time for new exploits to be written and used in earnest. But the disclosure woke people up, and that is always a good thing.

Because some people knew spectre before disclosure. Not only those disclosing it, but the nefarious side too. There were exploits - an unknown number of hidden ones. Now people were alerted earlier - a good thing.

Never liked Edge anyway

Chrome has 60% market share or better for a reason. Edge has around 4% for good reason. Enough said.

NoScript = inferior/inefficient vs. hosts

NoScript doesn't do a FRACTION of what hosts do for you!

Can NoScript block & stall botnet client C&Cs? No.
Can NoScript protect vs. DNS down/poisoned? No.
Can NoScript protect vs. dns request log tracking? No.
Can NoScript protect vs. Dns blocklists? No.
Can NoScript protect vs. spam/phish malicious payloads? No.
Does NoScript speed you up 2 ways: adblocks & hardcodes? No.

NoScript operates slower parsing script src tags in usermode.

Hosts block before ad & 3rd party scripts in kernelmode (not slower usermode compounded in added messagepassing inside a browser & addons slow a browser which shows when stacked w/ other addons more)!

APK

P.S.=> Prove YOU've made better vs. my APK Hosts File Engine 10++ SR-1 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ yourself (you can't you "ne'er-do-well" UNIDENTIFIABLE jealous stalker)... apk

Re:NoScript = inferior/inefficient vs. hosts

You're picking on a retarded jealous red headed stepchild that can't live up to your challenge that stalks you by unidentifiable anonymous posts apk!

LOL! I know but I let him prove it... apk

See subject: He's obviously butthurt due to trying to 'get the better of me' @ some point & failing on his part so I let him prove what he is (what you said) is all - big fun!

* I have an entire slew of bookmarks taking that little punk down & he's said he's a "security guru" & that I'd "shit my pants" IF I knew WHO he is (I only need to know WHAT he is, which is what you said, & to let him show the rest of you the same proving you correct - he does so every single time "RUNNING" like the "Forrest" (lol) he is)!

APK

P.S.=> Nothing QUITE like truth & fact to expose "his kind", lol (the INFERIOR ONES, the 'not men') - the TRUTH & FACT he HAS TO RUN like Forrest Gump vs. that challenge amuses me to NO end, lol... apk

Edgelord

[Presence+Eternal]

The joke used to be that Internet Explorer was only good for downloading better browsers. During the last few setups I've done, Edge wouldn't work well enough to download Vivaldi. So I used Internet Explorer.

Actually

Norway-based Vivaldi is the actual heir to Presto-engined Opera, not the Chinese-owned Blink-engined Opera.

Re:Actually

O/P here- on Vivaldi now, been using it for over a year- with lots of blocking / control extensions. It's only slightly less painful than Chrome...

Google = CIA+NSA

Oh, and chrome also requires (on linux, don't know about other OS's) a sandbox process running with root privs.

Google was funded by the CIA+NSA since day one.

Poor retarded APK

Poor retarded Alexander Peter Kowalski doesn't even realize that his work doesn't offer those benefits either.

This is easy to prove as he does not provide a complete list of all domains let alone host names, there for in every case where a lookup fails your computer has to fall back to DNS but you already wasted a bunch of time searching hosts so it is actually slower.

Throw in wild cards, that he also does not seem to understand, and it actually becomes physically impossible for his work do do anything yet it becomes trivial to circumvent all of his pathetic efforts.

Also if his work had any number of host names in it out of that didn't easily round to a value of 0% of all current host names it it would become so slow as to be unworkable and consume a massive amount of disk space and memory.

Even looking at TLDs he likely only has a value that maybe reaches a fraction of one percent.

Just because he doesn't understand simple math doesn't mean that it is wrong and he is right. We get it APK your work sucks, you are a retard, and hope that people here on /. will validate your existence since your parents still regret not aborting you.

Now go beat off to the latest Trump tweet or InfoWars article and leave the adults alone.

Exposing JEWgle

Khazar Talmudic Jews believe this of all they call goyim/gentiles (any non-jew): Jews = biggest racists of all (for which they "jew guilt" you for no less! They're hypocrites known as thieves all thru history or were Argentines in 1940 under Peron, Spanish inquistion & Spain 1492 (Christopher Columbus the jew https://duckduckgo.com/?q=%22C... sailed to the US for them to create it), France (1306), Egypt (despoiled/robbed by jews), Arabs (pre & post 1948), England (1330 Edward longshanks), Romans under titus, Russia pogroms and Germany who got rid of them from their nations nazi german's too? No. Driven into DESERTS ages ago! Don't wonder why after all those exilings above. Should anyone doubt any of this see Jacob Javits' crony Rosenthal spill the beans on it https://www.youtube.com/watch?v=D4zMVZ8HnFI/ where he called all Christianity fools for helping Israel and the biggest scam of all time per their beliefs below from their Talmud. This is the province of the synagogue of Satan (Pharisees whom Jesus Christ himself kicked to the curb out of the temple & they killed him for it. Jeremiah did the same to them also + the Essenes could not stand them either breaking away from the pharisee corruption):

Maria Abramovic satanist spirit cooker pal of Hillary Clinton the Voodoo queen is a jew https://www.google.com/search?...

Like Hillary Clinton's mentor Saul Alinsky author of rules for radicals book dedicated to Lucifer

"Most Jews do not like to admit it, but our god is Lucifer â" so I wasnâ(TM)t lying â" and we are his chosen people. Lucifer is very much aliveâ Harold Rosenthal http://www.thetruthseeker.co.u...

Jewish rabbi openly admits to satan worship use white children's blood they kill for passover bread, infiltrating and subverting the catholic church, creating the Jesuit order https://www.youtube.com/watch?... and https://www.youtube.com/watch?...

Barbara Spectre, a jew, tells everyone it's jews orchestrating the muslim migrant problem in Europe https://www.youtube.com/watch?v=MFE0qAiofMQ/ . No migrant raping of women in Poland. Tons in Sweden. Do the math. Use common-sense. This is to get muslims and other goyim/gentiles to wipe one another out as incompatible cultures that will clash and always have.

Rabbi A. Finkelstein ADMITS their greatest enemies are ARABS and WHITES (blacks too) whom they wish to kill one another in a 'theater of war' which they find AMUSING https://www.youtube.com/watch?...

Finkelstein also admits JEWS DID 9/11 (perpetrated by the Mossad & Bebe Netanyahu of ISRAEL) https://www.youtube.com/watch?... profiting by it (and that 3,000 jews employed there did not show up for work that day knowing about it beforehand).

Finkelstein also admits JEWS are going to destroy the U.S. Dollar and dumping it for other world currencies and gold to destroy the United States.

George Soros who funds groups to create division in the USA?? A jew. One who sold his own jew people into death for the nazis.

Zucker now FIRED @ CNN is another frying publicly for lying about "russians" and John Bonifield a producer @ CNN said it is bs. Van Jones did also.

Bernie Madoff (who made off with everyone's money, especially construction union pensions) shows the thieving nature of the JUDEN!

U haven't done better & blowing u away

See subject (you RAN "forrest" from a FAIR challenge to you, lol - you haven't created a better program).

FACT: I almost NEVER hit DNS since I place my top 100 fav. sites I spend MOST of my time online at @ TOP of hosts cached into RAM stupid RESOLVING THEM FASTER locally also!

FACT: Blocking ADS ALONE saves me FAR MORE TIME than an OCCASIONALY DNS lookup too dumbass!

FACT: wildcards cause false positives (like AV heuristics) - I do specifics avoiding that.

FACT: I never said "hosts cure all" (nothing does). I only say hosts do MORE, natively w/ what you already have, for FAR LESS resources used & complexity.

FACT: LOL, I love how you NOW have to deal with my parsing valid gTLD/TLD (removing ones that have been removed & thus removing useless bulk to parse per http://www.theregister.co.uk/2015/03/04/east_timor_was_officially_removed_from_the_internet_yesterday/ ).

APK

P.S.=> DUMBASS, vs. you & "your kind" (unidentifiable do-nothing "ne'er-do-wells")? I'm always right.... apk

Re:U haven't done better & blowing u away

FACT: LOL, I love how you NOW have to deal with my parsing valid gTLD/TLD (removing ones that have been removed & thus removing useless bulk to parse per http://www.theregister.co.uk/2015/03/04/east_timor_was_officially_removed_from_the_internet_yesterday/ [theregister.co.uk] ).

Those people in africa who speak that click language would have an easier time of having their point understood by an english speaker than you.

Where is the Google publication?

[ourlovecanlastforeve]

I couldn't find a link to the Google publication of this vulnerability in the linked article and was not able to find it using any search engine.

See retard APK talks to himself now

I see that retarded Alexander Peter Kowalski is now carrying on a conversation with himself pretending he has support from an AC.

Lets just double check that to be sure so that it can be confirmed for all to see shall we.

Uses the same language retard APK uses: check

Uses the same style retard APK uses: check

Posts as AC : check

The post looks like it is a cut and paste from one of retard APK's other posts: check

Uses shit grammar and punctuation: check

Sorry retard APK it looks like you were having a conversation with your self and it appears your other mental illnesses are showing now too.

Your challenges are much like the mentally ill I see on the streets in many a major city who rant and rave that the end is near or what not and should be ignored for much the same reasons. This is also typically the point at which you start to realize that you lost but can't admit it to your self so instead you go full retard.

But please go ahead and post some more to make yourself ever more the fool.

Retard APK better get cracking then

Sounds like you better get cracking then retard Alexander Peter Kowalski as your software needs some code changes, a recompile, and because it is you a new major version.

If I wrote code that shitty I would have been fired many times over as that basically makes it unmaintainable.

The only good thing that will come of this is that we all will get to watch as you throw one of your whiny little bitch shit fits as all the AV vendors flag your new version as malware.

While you are in there you might want to look into making the code less complex as it is just a shitty slow bloated file aggregator.

So why did you go through the effort in making it multi threaded and rolling your own DB functionality for something that is a trivial task and not something to hold up as the pinnacle of ones achievements?

LOL! Knew it - U = ALL mere 'talk'

See subject (you RAN "forrest" from a FAIR challenge to you, lol - you haven't created a better program).

FACT: I almost NEVER hit DNS since I place my top 100 fav. sites I spend MOST of my time online at @ TOP of hosts cached into RAM stupid RESOLVING THEM FASTER locally also!

FACT: Blocking ADS ALONE saves me FAR MORE TIME than an OCCASIONALY DNS lookup too dumbass!

FACT: Wildcards cause false positives (like AV heuristics) - I do specifics avoiding that.

FACT: I never said "hosts cure all" (nothing does). I only say hosts do MORE, natively w/ what you already have, for FAR LESS resources used & complexity.

FACT: You can't deal w/ me being RIGHT on parsing valid gTLD/TLD (removing removed ones removing useless bulk to parse per http://www.theregister.co.uk/2015/03/04/east_timor_was_officially_removed_from_the_internet_yesterday/ ).

APK

P.S.=> Bottom-line: * FACT: See subject blowhard talker ... apk

Re:LOL! Knew it - U = ALL mere 'talk'

APK the parent poster was talking in the general, you are talking in the specific. It is easy to talk about your online experiences since the only sites you visit are slashdot and the few man moose love sites that exist. That must be why you are so paranoid about there being DNS logs of your site lookups as you don't want the authorities to find out that you are the internet's premier purveyor of man moose love videos.

I'm laughing @ U, "Forrest" (Run boy!)

See subject & "See 'Forrest' (lol, YOU) RUN!!!" here lmao https://it.slashdot.org/comments.pl?sid=11755812&cid=56136784/ as I shot all your NO-MIND do-nothing ZERO nobody bullshit down easily point-by-point!

* Ah, it's just "too, Too, TOO EASY - just '2ez'" vs. ALL-TALK no ACTION losers (like you)!

APK

P.S.=> QUESTION: How does it FEEL having ME publicly EXPOSE you are an ALL TALK do nothing zero loser? LOL - "Inquiring minds want to know" (as you quake in impotent rage & yes, you ARE truly, impotent) apk

STFU w/ your utter bullshit already... apk

1st Parent post TROLL came in here offtopic trolling me (do you deny it you asswipe?) https://it.slashdot.org/comments.pl?sid=11755812&cid=56134884/ & you are him you idiotic fuck (do you actually *THINK* you 'fool anyone' other than your own DUMB ASS? Please - thought? It's mpossible for you - thought for you = a foreign concept entirely, lol).

2nd - you have NO IDEA where I go online either you presumptuous little goof!

Lastly - what is wrote isn't a DB dumbo - not even flatfile DB (but does same) & multithread design? I do since I ACTUALLY CAN DO IT, myself, BY HAND/HOMEMADE (unlike you blatantly PLAGIARISTIC "openSORES" douchebags that live under an ILLUSION/DELUSION you actually KNOW HOW TO CODE (you don't, cripples)) & I also see you PROJECT your own "StRaNgE" practices too (lol) onto me also!

APK

P.S.=> No questions asked - hosts kick the SHIT out of NoScript on TONS OF LEVELS by FAR https://it.slashdot.org/comments.pl?sid=11755812&cid=56136784/ ... apk

Re:STFU w/ your utter bullshit already... apk

Isn't that cute, moose fucker APK thinks I am one of his other trolls. I bet he thinks that only one person hates him and makes fun of his moose molesting ass. Maybe he should stick to sucking off and getting ass fucked by moose instead of trying to argue on the internet. I also hear he want to reenact 2 girls one cup with some other /. user.

You need 'hooked on phonics' illiterate troll

See subject & I LOVE the fact you have to concede 2 features my hosts program does no other does that work!

1.) Hosts hardcodes (stops DNS tracking + avoids dns security issues too)

2.) gTLD/TLD filtering (to avoid bloat in removed top level domains OR adding in BOGUS ONES that bloat the file even more (a possible)).

* When I do a job I do it RIGHT & do it myself (unlike you fucks)... & it comes out BETTER vs. ANY competitor of mine (in hosts programs).

APK

P.S.=> You "openSORES" blatantly PLAGIARISTIC chumps are under an ILLUSION you actually KNOW HOW TO CODE - & based on your FUCKUPS vs. me (tons), you don't @ all (makes me laugh & you make ME look GOOD too - thanks)... apk

You hate yourself "projectionist": Why?

You obsess over me (doubtless due to my kicking your ass many times like this) - I LOVE the fact you have to concede 2 features my hosts program does no other does that work!

1.) Hosts hardcodes (stops DNS tracking + avoids dns security issues too) & speeds you up too (faster local RAM resolution).

2.) gTLD/TLD filtering (to avoid bloat in removed top level domains OR adding in BOGUS ONES that bloat the file even more (a possible)).

* When I do a job I do it RIGHT & do it myself (unlike you fucks) & it comes out BETTER vs. ANY competitor of mine (in hosts programs).

(You can't & haven't done better)

APK

P.S.=> You "openSORES" blatantly PLAGIARISTIC chumps are under an ILLUSION you actually KNOW HOW TO CODE - & based on your FUCKUPS vs. me (tons), you don't @ all (makes me laugh & you make ME look GOOD too - thanks)... apk

ScriptSafe

Just use ScriptSafe for Chrome