Since Microsoft released their Edge browser after going a long path with Internet Explorer, they’ve been trying to popularize it with users. Microsoft even introduced a separate link in the Windows Store for the Edge browser extensions. This isn’t all; a new change will definitely put users into a great discomfort.

The new “Edge” law

When using the default Windows Mail app, if you click any link, it would previously open the default web browser. By default, it’s safe to assume that your default browser is not Edge. But in the newest release, the clicked links will open through Edge browser.

Obviously, if you previously used Internet Explorer, you’ll notice remarkable changes in Edge browser. It’s improved and powerful. But that doesn’t mean that it’s compulsory for everyone, right? Microsoft always tries to push their products on their customers, this is nothing new.

Fortunately, this feature is only available in the Insider Preview build of Windows 10. As users try it out, they’ll provide their feedback on the Feedback Hub. Hopefully, Microsoft will change this feature in the future. If you’re interested to get access to Insider Preview builds and check out the latest features, get Windows 10 Insider Preview.

If you want to switch from Windows to Linux, it’s the best to check out some of the awesome Linux distributions of 2018.

The post Microsoft Enforces Edge in a New Way appeared first on Linux Windows and android Tutorials.

How it works

Google’s Project Zero team discovered the flaw within an important exploit mitigation technique in Edge. That flaw can bypass the security check. ACG (Arbitrary Code Guard) is used in Edge that helps to thwart malicious codes from loading into memory. Using this defense system, the target is to ensure that only properly signed codes can load into memory. However, this process is very troublesome while working with JIT (Just-in-Time) compilers used in the modern browsers.

JIT compilers translate the codes of JavaScript into native code to run faster and smoother. It doesn’t check the sign of the code, allowing some unsigned codes to run in a content process. In order to make JIT compilers work with ACG, Microsoft programmed JIT compiling to run in its own, isolated sandbox. Microsoft claimed that it was a significant achievement.

The issue is in the way that the JIT compilers build executable data into the content process. A compromised content, using “ACG bypass via UnmapViewofFile”, can predict the address which a JIT process is going to call VirtualAllocEx() next. It also allows to allocate a writable memory region on the same address JIT server’s going to write and create a soon-to-be-executable payload there.

Google informed Microsoft about this medium-severity issue in mid-November. After Google’s 90-day deadline passed, Google revealed the details about the bug. Microsoft confirmed the ACG bypass in response to Google to February’s Patch Tuesday. It seemed that the patch was targeted for the issue. However, Microsoft said that the bug was a more complex one than they primarily thought. Now, Microsoft targets to release security patch in Patch Tuesday in March.

How to stay secured

For Microsoft Edge users, it’s the best, for now, to avoid using the browser. The bug is publicly available and so, available to cybercriminals at the same time. They’re more likely to take the situation to their advantage. Microsoft’s fix is also quite late to provide any protection against such attacks.

That’s why it’s the best to use other popular & alternative web browsers, for example, Google Chrome, Mozilla Firefox, Opera etc. For an additional defense layer, get the best antivirus software of 2018.

The post Microsoft Edge – Security Flaw Exposed by Google appeared first on Linux Windows and android Tutorials.