A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions.
The extension-related vulnerabilities, described by Google as “insufficient policy enforcement in extensions,” were discovered by researcher David Erceg in August. He identified three vulnerabilities of this type: CVE-2020-15961, a high-severity issue for which he received a $15,000 bug bounty; CVE-2020-15963, also a high-severity flaw, for which he earned $5,000; and CVE-2020-15966, which has been rated medium severity and for which the bug bounty has yet to be determined.
Erceg told SecurityWeek that the vulnerabilities he discovered all target a specific API made available to extensions — he has not named the impacted API due to the fact that Google hasn’t mentioned it either in its release notes.
Exploitation of all three flaws involves convincing the targeted user to install a malicious extension with some specific privileges.
“Two of the issues (the high severity issues) allow an extension to download and run an executable file. In both cases, no user interaction would be required after the extension install,” Erceg explained. “In a real world attack, those issues would allow an extension to run an executable outside of the browser’s sandbox shortly after install (using the first issue, it could plausibly be done within a few seconds).”
He noted that the second high-severity vulnerability (CVE-2020-15963) can only be exploited to run an executable outside of the sandbox if certain conditions are met. If these conditions are not met, the attacker could still perform certain actions, such as accessing privileged pages or reading local files. Alternatively, an attacker could chain this flaw with another weakness to execute code outside of the sandbox.
The medium-severity issue, the researcher says, can be exploited by a malicious extension to read the content of local files, which an extension is normally not allowed to do without the user’s explicit permission.
The Chrome 85 update that patches these vulnerabilities also addresses an out-of-bounds read issue in storage, for which an unnamed hacker earned $15,000, and an insufficient policy enforcement issue for which researchers Leecraso and Guang Gong of 360 Alpha Lab earned $10,000.
Leecraso and Guang Gong earlier this month received a $20,000 bug bounty from Google for reporting a high-severity vulnerability that can be exploited to escape the Chrome sandbox.
Related: Google Patches More High-Value Chrome Sandbox Escape Vulnerabilities
Related: GitHub Shares Details on Six Chrome Vulnerabilities
Related: Google Awards $10,000 for Remote Code Execution Vulnerability in Chrome