However, Google Project Zero researcher Ivan Fratric believes it’s not all it’s cracked up to be. In February, he published a bypass for AGC after Microsoft failed to fix it within the allotted 90-day period. The Edge teams took pains to fix the issue by ensuring the browsers Just in Time Javascript compilers meshed correctly with the feature. Though that bypass is mitigated, Fratric says there are ways determined attackers can bypass the mitigation. While ACG’s implementation is strong, a Windows 10 exploit mitigation called Control Flow Guard (CFG) that it depends on isn’t. This opens the PC to attack despite the protection of ACG.
A Long-Term Commitment
Though Fratric’s logic is clear, it’s also obvious he isn’t entirely impartial. In the paper, he promotes an alternative: Google Chrome. According to Fratric, Chrome’s site isolation could provide better protection in many cases. Site isolation runs each webpage in its own sandboxed process, making it difficult for attackers to cause damage to the user’s system. Unfortunately, this also causes a significant memory hit of 10-20%. With already significant competition it’s clear why Microsoft follows its own philosophy. Edge is sold as a fast, simple browser with little battery usage. Such an implementation could compromise that. Fratric also notes that the Edge team is dedicated to fixing this problem. “Currently, with a lot of known bypasses, bypassing CFG in Windows is not difficult. However, should Microsoft be able to fix all the known weaknesses of CFG, including adding the return flow protection, the situation might change in the next couple of years,” he said. “As Microsoft already showed intention to do this, we believe this is their long-term plan.”
