Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Microsoft Discloses Code Execution Flaw in Chrome

Microsoft has disclosed the details of a remote code execution vulnerability found by its employees in the Chrome web browser. Google patched the flaw last month with the release of Chrome 61.

Microsoft has disclosed the details of a remote code execution vulnerability found by its employees in the Chrome web browser. Google patched the flaw last month with the release of Chrome 61.

Microsoft’s Offensive Security Research (OSR) team analyzed Chrome’s V8 open-source JavaScript engine using ExprGen, a fuzzer developed by Microsoft for testing its own JavaScript engine, Chakra. Microsoft hoped that using ExprGen could help find some new bugs, given that publicly available fuzzers had likely already been used to test V8.

Microsoft’s tests initially led to the discovery of an information leak, which ultimately resulted in arbitrary code execution in the Chrome renderer process.

However, Chrome relies on sandboxing to ensure that web applications are executed in a restricted environment. This means that a second vulnerability, one that allows a sandbox escape, needs to be identified in order to take full and persistent control of a system.

Microsoft researchers wanted to determine how far they can go without finding a second vulnerability. They discovered that executing arbitrary code within a renderer process can be used to bypass the Single Origin Policy (SOP), which prevents a malicious script on one page from obtaining access to sensitive data on another web page.

Once the SOP is bypassed, an attacker can steal saved password from any website, inject arbitrary JavaScript into webpages via universal cross-site scripting (UXSS), and silently navigate to any website.

“A better implementation of this kind of attack would be to look into how the renderer and browser processes communicate with each other and to directly simulate the relevant messages, but this shows that this kind of attack can be implemented with limited effort,” Microsoft said in a blog post. “While the democratization of two-factor authentication mitigates the dangers of password theft, the ability to stealthily navigate anywhere as that user is much more troubling, because it can allow an attacker to spoof the user’s identity on websites they’re already logged into.”

The vulnerability is tracked as CVE-2017-5121 and it was patched by Google last month with the release of Chrome 61. Google has yet to make the details of the flaw public on its own bug tracker.

Microsoft researchers earned a total of $15,837 via Google’s bug bounty program for this and other vulnerabilities, an amount that they plan on donating to charity.

Microsoft also pointed out an issue with how Google releases patches for Chrome, which is based on the open-source browser project Chromium. The problem, according to Microsoft, is that source code changes that fix vulnerabilities often make it to GitHub before the actual patch is released to customers, which could give malicious actors the opportunity to exploit flaws against unprotected users.

On the other hand, Google also recently criticized Microsoft’s patch process, noting that attackers can compare patched Windows 10 builds to vulnerable builds in order to find flaws that they may be able to exploit against users of earlier versions of Windows.

Google researchers have found numerous vulnerabilities in Microsoft products in the past years, although the search giant has not always given Microsoft the opportunity to release a patch before making details public.

Related: Microsoft Patches Several Malware Protection Engine Flaws

Related: Google Discloses Unpatched Windows GDI Vulnerability

Related: Google Discloses Windows Zero-Day Vulnerability

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.