attack against the new Microsoft Edge browser, which one expert called an ingenious attack.
Researchers from Vrije Universiteit in Amsterdam, Netherlands, noted in their paper, Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector, the "exploit can allow an attacker to gain arbitrary memory read [and] write access and 'own' a modern Microsoft Edge browser, even when the target browser is entirely free of bugs, with all its defenses are turned on."
The attack leverages memory deduplication processes built into Windows 8.1 and Windows 10 to craft a reliable exploit based on the Rowhammer hardware vulnerability. Memory deduplication is a popular method used to minimize memory usage by combining memory pages that contain the same data, while a Rowhammer exploit repeatedly accesses a row of memory, causing bit flips in adjacent rows of some DRAM devices.
According to Robert Graham, CEO of Atlanta-based Errata Security, both of these types of exploits are rare, making the combination ingenious, but of limited use right now.
"It's a practical way of getting some small bit of data out of a system if you already know a lot about what is going on in the system," Graham said. "It could be used to reveal passwords, or it could be used in other cases to find sensitive pieces of data from the machine that could be combined to exploit the machine. Rowhammer is a physical attack and deduplication is part of the operating system, which means anything right on the machine is potentially vulnerable to that."
Graham said Rowhammer is not something hackers can exploit widely. More reliable exploits have been developed for DDR3 DRAM chips, but newer machines use DDR4 memory, which has not been as vulnerable. Only certain DDR4 chips have been found to be vulnerable to Rowhammer.
"That's one of those things about exploits -- over time, they only get worse. So, when Rowhammer came out, it was just DDR3, and now it's DDR4 and there's this interaction with this Microsoft feature," Graham said. "It only gets worse."
Learn about the difference between memory sharing and overcommitment.
Get more info on virtualizing backup deduplication.