Google Exposes How Malicious Sites Can Exploit Microsoft Edge

Google's Project Zero team has published details of an unfixed bypass for an important exploit-mitigation technique in Edge. From a report: The mitigation, Arbitrary Code Guard (ACG), arrived in the Windows 10 Creators Update to help thwart web attacks that attempt to load malicious code into memory. The defense ensures that only properly signed code can be mapped into memory. However, as Microsoft explains, Just-in-Time (JIT) compilers used in modern web browsers create a problem for ACG. JIT compilers transform JavaScript into native code, some of which is unsigned and runs in a content process.

To ensure JIT compilers work with ACG enabled, Microsoft put Edge's JIT compiling in a separate process that runs in its own isolated sandbox. Microsoft said this move was "a non-trivial engineering task." "The JIT process is responsible for compiling JavaScript to native code and mapping it into the requesting content process. In this way, the content process itself is never allowed to directly map or modify its own JIT code pages," Microsoft says. Google's Project Zero found an issue is created by the way the JIT process writes executable data into the content process.

Here's an idea.

Let's ditch Javascript and go back to usable websites that don't require a fucking quad core CPU and 8GB of RAM just to view.

It's hard to exploit something when you can't run arbitrary code on it at all. "But muh infinite scrolling-" fuck your infinite scrolling. I've yet to see a website implement that properly where my browser tab didn't land up consuming 4 fucking gigabytes of RAM after 20 or so pages of stuff. God forbid I should refresh the page, lest I lose my position within your endless stream of crap content and advertisements.

The most usable websites I've seen these days are the ones that actually have pages I can click through, layout things in a clean and logical manner, and don't feel the need to animate every fucking widget that appears on the screen. Case in point:

http://www.motherfuckingwebsite.com

Re:Here's an idea.

1. create a dom.
2. set styles.
3. without HTML, update the CSS of a div to hide/show

I'll be here waiting when you have a method for dynamically updating a DOM or hiding/displaying elements.

But..but...'state' you say. 'cookies' and 'page refreshes'. Yes, but then again a horse can pull a cart too and requires a less fucking energy to do it. Lets go back to horses and carts you say?

Re:Here's an idea.

[gnick]

I tried promoting Opera here on /. for many years and as usual, nobody listens.

I like Opera, but you're not going to find many users here. The few there were abandoned it when it was sold to the Chinese in 2016. For some reason, people don't trust the Chinese. People have looked pretty hard at it and the code was even leaked last year, but for some reason people trust MS & Google more than "Golden Brick Capital Private Equity Fund I Limited Partnership".

Re:Here's an idea.

[Viol8]

For good or bad, most people know where MS & Google are coming from and (windows 8 jokes aside) know they wouldn't deliberately put malicious code in their software. Some anonymous chinese company no one has ever heard off which could easily be yet another chinese government front is a whole other kettle of stinking fish.

Re:Here's an idea.

[gnick]

You're suggesting that "Golden Brick Capital Private Equity Fund I Limited Partnership" could be a shell? Surely you jest!

It's like they didn't even try.

Re:Here's an idea.

[Merk42]

You could show/hide with checkboxes utilizing the :checked pseudo selector, but that's hacky.
You could also use <details> and <summary> if your browser supports it.

Any other DOM manipulation, say, getting only updated content via JSON and only updating that part of the page instead of a full page refresh, you're SOL.

Re:Here's an idea.

[DarkOx]

You realize Opera is just webkit now. So there is no point really. You might as well just use chromium

Re:Here's an idea.

[TheRaven64]

I do precisely this on my work web page to show and hide abstracts and bibliography entries on my publications page. I use a hidden checkbox and adjust the style of the hidden divs based on the state of the checkbox. Oh, and CSS animates it for me as well.

To be fair, it's a pretty hacky solution and the JavaScript is a bit cleaner. That said, JavaScript is a general purpose programming language and is seriously overkill for something like this. Most of the things that I actually want people to be using JavaScript for on a web page could be solved by adding a checked state to all clickable DOM elements and using CSS selectors.

Note that CSS is now incredibly complex, and WebKit even includes a JIT for it, so it's not clear that it actually has a smaller attack surface.

Re:Here's an idea.

[fisted]

From http://www.motherfuckingwebsite.com:

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');

ga('create', 'UA-45956659-1', 'motherfuckingwebsite.com');
ga('send', 'pageview');
</script>

Edgelord

[Presence+Eternal]

The joke used to be that Internet Explorer was only good for downloading better browsers. During the last few setups I've done, Edge wouldn't work well enough to download Vivaldi. So I used Internet Explorer.

Actually

Norway-based Vivaldi is the actual heir to Presto-engined Opera, not the Chinese-owned Blink-engined Opera.

Where is the Google publication?

[ourlovecanlastforeve]

I couldn't find a link to the Google publication of this vulnerability in the linked article and was not able to find it using any search engine.