Microsoft Discloses Details of Critical Vulnerability in Google Chrome

Security researchers from Microsoft have revealed details about a critical vulnerability in the Google Chrome browser that allows attackers to remotely execute code. The Microsoft Offensive Security Research (OSR) team analyzed Chrome’s V8 JavaScript engine using ExprGen, a tool developed by Microsoft for testing its own Chakra JavaScript engine. During their analysis, the researchers discovered a vulnerability that could lead to data leaks and enable arbitrary code execution during Chrome’s rendering process.

How the Vulnerability Works

Chrome uses a sandbox mode to ensure web applications run in a restricted environment. This means that another, as yet undiscovered, vulnerability would be needed for an application to escape the sandbox. Microsoft researchers wanted to see how far they could go without a second vulnerability. They found that executing arbitrary code in the rendering process could be used to bypass the Same Origin Policy (SOP), which is designed to prevent malicious scripts on one page from accessing sensitive data on another.

By bypassing SOP, an attacker could steal saved passwords from any website, inject arbitrary JavaScript into a page using universal cross-site scripting (UXSS), and silently redirect users to any site.

Potential Impact and Response

According to the researchers, while two-factor authentication reduces the risk of password theft, the ability to secretly visit sites as the user is concerning. This could allow an attacker to impersonate the user on sites where they are already logged in.

Google fixed the vulnerability, identified as CVE-2017-5121, in September with the release of Chrome version 61, but had not yet published information about it at the time. For information about this and several other vulnerabilities, Google paid Microsoft researchers a total of $15,837.

Patch Release Model Concerns

Microsoft also pointed out shortcomings in Chrome’s patch release model, which is based on the open-source Chromium project. According to Microsoft, the problem is that source code changes that fix vulnerabilities often appear on GitHub before patches are released to users. This gives attackers an opportunity to exploit vulnerabilities before they are fixed for end users.

In response, Google criticized Microsoft’s policy for patching vulnerabilities in Windows. Google researchers noted that Microsoft often releases patches only for Windows 10, neglecting users of older operating system versions.

Previously, Google engineers have published information about vulnerabilities in Windows before the corresponding security updates were released.