Microsoft has disclosed the details of a remote code execution vulnerability found by its employees in the Chrome web browser. Google patched the flaw last month with the release of Chrome 61.
Microsoft’s Offensive Security Research (OSR) team analyzed Chrome’s V8 open-source JavaScript engine using ExprGen, a fuzzer developed by Microsoft for testing its own JavaScript engine, Chakra. Microsoft hoped that using ExprGen could help find some new bugs, given that publicly available fuzzers had likely already been used to test V8.
Microsoft’s tests initially led to the discovery of an information leak, which ultimately resulted in arbitrary code execution in the Chrome renderer process.
However, Chrome relies on sandboxing to ensure that web applications are executed in a restricted environment. This means that a second vulnerability, one that allows a sandbox escape, needs to be identified in order to take full and persistent control of a system.
Microsoft researchers wanted to determine how far they can go without finding a second vulnerability. They discovered that executing arbitrary code within a renderer process can be used to bypass the Single Origin Policy (SOP), which prevents a malicious script on one page from obtaining access to sensitive data on another web page.
Once the SOP is bypassed, an attacker can steal saved password from any website, inject arbitrary JavaScript into webpages via universal cross-site scripting (UXSS), and silently navigate to any website.
“A better implementation of this kind of attack would be to look into how the renderer and browser processes communicate with each other and to directly simulate the relevant messages, but this shows that this kind of attack can be implemented with limited effort,” Microsoft said in a blog post. “While the democratization of two-factor authentication mitigates the dangers of password theft, the ability to stealthily navigate anywhere as that user is much more troubling, because it can allow an attacker to spoof the user’s identity on websites they’re already logged into.”
The vulnerability is tracked as CVE-2017-5121 and it was patched by Google last month with the release of Chrome 61. Google has yet to make the details of the flaw public on its own bug tracker.
Microsoft researchers earned a total of $15,837 via Google’s bug bounty program for this and other vulnerabilities, an amount that they plan on donating to charity.
Microsoft also pointed out an issue with how Google releases patches for Chrome, which is based on the open-source browser project Chromium. The problem, according to Microsoft, is that source code changes that fix vulnerabilities often make it to GitHub before the actual patch is released to customers, which could give malicious actors the opportunity to exploit flaws against unprotected users.
On the other hand, Google also recently criticized Microsoft’s patch process, noting that attackers can compare patched Windows 10 builds to vulnerable builds in order to find flaws that they may be able to exploit against users of earlier versions of Windows.
Google researchers have found numerous vulnerabilities in Microsoft products in the past years, although the search giant has not always given Microsoft the opportunity to release a patch before making details public.
Related: Microsoft Patches Several Malware Protection Engine Flaws
Related: Google Discloses Unpatched Windows GDI Vulnerability