- Google announced a vulnerability on its Chrome browser, urging all users to update to a patched version
- The issue highlights how reliant Chrome’s security is on Windows and one ‘misplaced line of code’
This week, users of Google Chrome – of which there are 2 billion active installs – were told to urgently update their browsers, or risk exposing themselves to a new vulnerability.
Affecting Chrome users of all major operating systems, including Windows, Mac and Linux, the “user after free” vulnerability was uncovered by Sophos. It was a result of updates in Windows 10, and could allow attackers to run untrusted codes by controlling the free memory on the systems.
It has since been announced that the vulnerability would affect any browser using the Chromium sandbox, with Mozilla confirming to Forbes its Firefox browser was also vulnerable.
A post by researcher James Forshaw of Google’s Project Zero explained that while the Chromium sandbox on Windows has “stood the test of time”, it “does have its weaknesses.”
He explained that the sandbox’s implementation is reliant on the security of the Windows OS, and in this case was compromised by a single line of misplaced code, leading to a vulnerability now dubbed and archived as ‘CVE-2020-0981’.
“Changing the behavior of Windows is out of the control of the Chromium development team. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break,” Forshaw wrote.
The Windows ‘101903’ update meant that online attacks conducted on the Chrome browser, among others, would be able to break its security and spread into Windows itself.
A blog post written by Sophos security researcher Paul Ducklin said the exploit would allow attackers “to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser’s usual security checks or ‘are you sure’ dialog.”
Before it would reveal more details, Google said it would wait for users to install the patched version of Chrome.
Patched version ‘81.0.4044.113’ was rolled out this week, but the company also warned users to manually check and update the browser where possible.
“I hope this gives an insight into how such a small change in the Windows kernel can have a disproportionate impact on the security of a sandbox environment,” Forshaw said in the post.
However, the security of Chrome still relies on Windows, and that’s the fundamental issue. Will you remain one of Chrome’s 2 billion users after this?