Security News New Microsoft Edge security features were just bypassed, opening door for exploits

LASER_oneXM · May 11, 2018

A security mitigation in Microsoft Edge was cracked by researchers at Google Project Zero, specifically targeting out-of-process JIT implementations.

Researchers at Google's Project Zero have bypassed Microsoft Edge security features that Microsoft designed to prevent the execution of malicious code.

Created to replace the aging Internet Explorer web browser, Microsoft Edge was built with security in mind. As is often the case with large software projects like a web browser, oversights occur, and in this case it is a big one.

The exploit involves attacking a flaw in how Microsoft designed Edge's arbitrary code mitigation defenses. In order to build Edge's defenses Microsoft had to reconfigure a fundamental part of modern web browser architecture: Just-In-Time (JIT) JavaScript compiling.

JIT involves translating JavaScript into native browser code for faster execution. Edge's arbitrary code defenses made it incompatible with JIT, so Microsoft moved JIT to its own isolated process. That's where things break down.

Edge's great idea and poor execution
The best way to understand how Project Zero engineers cracked Edge's security is to understand the basics of how it works.
.....
.......
.........

Daverk · May 12, 2018

A deluge of exploits and malware presently,be ever vigilant

shmu26 · May 12, 2018

But most people don't use Edge, so don't expect malcoders to target it very much.
And I bet the exploit is pretty hard to discover and actually do.

Azure · May 12, 2018

From the article:
> Project Zero said that weaknesses it discovered in Microsoft's siloed JIT have been patched

CyberTech · May 12, 2018

Whats going on with this world?!?! asf!

vtqhtr413 · May 12, 2018

shmu26 said:
But most people don't use Edge, so don't expect malcoders to target it very much.
And I bet the exploit is pretty hard to discover and actually do.

Then by dumb luck, I'm doing the right thing using edge.

shmu26 · May 12, 2018

CyberTech said:
Whats going on with this world?!?! asf!

All browsers that are regularly vetted are regularly found to have vulnerabilities.
In most cases, the vulnerabilities are patched before the malcoders discover them. They are usually discovered by whitehat researchers. This is the way it works.
Every once in a while, an unpatched vulnerability is discovered by a malcoder. Usually it is a nation-state spy agency, or is sold to a nation-state spy agency.

So if you are South Korean diplomat and you are stupid enough to use Internet Explorer and unprotected MS Word, and you are also idiotic enough to click on fishy email links while using your top-secret work computer, then you will get what's coming to you.

oldschool · May 12, 2018

BryanB said:
Then by dumb luck, I'm doing the right thing using edge.

Likewise, I'm using it more often because it runs well on my machine and it's a clean interface (dark mode). What's up with the new Edge Extension suggestions though?

shmu26 said:
All browsers that are regularly vetted are regularly found to have vulnerabilities.
In most cases, the vulnerabilities are patched before the malcoders discover them. They are usually discovered by whitehat researchers. This is the way it works....

Yes, the world is not simply full of bad guys!

Search

Security News New Microsoft Edge security features were just bypassed, opening door for exploits

LASER_oneXM

Level 37

Daverk

New Member

shmu26

Level 85

Azure

Level 28

CyberTech

Level 44

vtqhtr413

Level 26

shmu26

Level 85

oldschool

Level 82

Similar threads