Google reveals unpatched security vulnerability in Microsoft’s Edge browser

Google’s Project Zero team of security researchers disclosed a “high-severity” vulnerability it found in Microsoft’s Edge browser after the company failed to patch it within the allotted time of 90 days. The vulnerability can allow an attacker to gain administrator privileges if exploited.

For those unfamiliar, Project Zero is a team of security analysts employed by Google to find zero-day vulnerabilities before they are found and exploited by malicious people. On finding and disclosing the vulnerability to the relevant company, Google gives them 90 days to fix the issue. However, if the company fails to issue a patch within the specified time period, the Project Zero team discloses the vulnerability to the public so that users can protect themselves by taking necessary steps.

This most recent vulnerability was identified by James Forshaw, a Google Project Zero researcher, who disclosed it to Microsoft on November 10 as part of a separate security issue with Windows 10. Apparently, there are actually two bugs in this vulnerability, named 1427 and 1428. While Microsoft addressed the bug 1427 with its February’s Patch Tuesday release earlier this month, as it found it to be more critical. However, it chose to leave the other bug 1428 untouched, as it says it’s not a critical vulnerability.

According to the technical report in the Project Zero, the vulnerability has been tested on Windows 10 Fall Creators Update (version 1709). In this case, the Windows 10 vulnerability is in the SvcMoveFileInheritSecurity remote procedure call (RPC). Forshaw also attached a proof-of-concept code in C++ which creates an arbitrary file in the Windows folder, and exploits the SvcMoveFileInheritSecurity RPC to overwrite the security descriptor to get control of a system.

Currently, the issue has been listed as “high-severity” by Google because of its ease of exploitation. However, since the latest elevation of privilege flaw in Windows 10 cannot be exploited remotely or in browsers that run in a sandbox, Microsoft has categorized it as “important” rather than “critical.” Forshaw points outs that the flaw only affects Windows 10 and he hasn’t verified whether it works on earlier versions, like Windows 7 or 8.1.

When Neowin contacted Microsoft for clarification regarding the security flaw, they responded by saying, “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”

Only last week, Google’s Project Zero had revealed a Windows 10 exploit mitigation [Arbitrary Code Guard (ACG)] bypass to the public that Microsoft couldn’t fix in time. Microsoft had confirmed the ACG bypass and said it would fix the issue in February’s Patch Tuesday release. However, it was forced to skip the February’s Patch Tuesday release, as the issue was found to be “more complex” than initially thought. The Redmond giant is now targeting to release the fix in Patch Tuesday in March.

Source: Neowin