TheWindowsClub News

TheWindowsClub Tech News covers the latest Microsoft Windows 10 news, along with other products & services like Office, etc.

One mistyped line in the Windows 10 code messed up Chrome’s security, says this researcher

In today’s world, trusting Google with someone’s data is highly questionable. Yet, Google Chrome remains to be the web browser with the most market share. However, Google’s Project Zero researcher James Forshaw highlighted the fact of Google Chrome being vulnerable in a blog post titled ‘You Won’t Believe what this One Line Change Did to the Chrome Sandbox’. He has pointed out that one mistyped line in the Windows 10 code messed up Chrome’s browser sandbox feature. This is due to the fact that Google Chrome’s security is totally reliant on Windows 10.

Windows 10 vulnerability messed up Chrome’s sandbox

Claiming the Google Chrome sandbox to be one of the better-deployed sandbox environments on Windows 10, James Forshaw claimed it to not being enough. He said,

“The main one being the sandbox’s implementation is reliant on the security of the Windows OS. Changing the behavior of Windows is out of the control of the Chromium development team. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break.”

This issue started when an update was pushed to Windows 10 versions starting Windows 10 version 1903, where an attack could be penetrated to Windows 10 when entered through Google Chrome.

The line should have been:

NewToken->ParentTokenId = OldToken->TokenId;

But it had been changed to:

NewToken->ParentTokenId = OldToken->ParentTokenId;

This completely breaks the check, as the new sandboxed process has a token which is considered a sibling of any other token on the desktop, said the researcher.

After this discovery, he found a number of ways to take advantage of this vulnerability as an attacker. This indirectly demonstrated the scope of risk involved with even small errors in the code of the Windows 10 operating system. However, James already reported this error to Microsoft, and a patch, CVE-2020-9081, has already been issued by Microsoft for this vulnerability.

This vulnerability affected all the web browsers based on the Chromium engine like Opera, Brave, Google Chrome, and even Microsoft’s own Edge browser.

This is one of those instances that encourage the user to always get the latest updates to their software from their respective providers.

Updated on Tags:

AyushVij@TWCN

Ayush has been a Windows enthusiast since the day he got his first PC with Windows 98SE. He is an active Windows Insider since Day 1 and is now a Windows Insider MVP. He has been testing pre-release services on his Windows 10 PC, Lumia, and Android devices.

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Pinterest
Tumblr
Skype
Buffer
Pocket
VKontakte
Parler
Xing
Reddit
Line
Flipboard
MySpace
Delicious
Amazon
Digg
Evernote
Blogger
LiveJournal
Baidu
MeWe
NewsVine
Yummly
Yahoo
WhatsApp
Viber
SMS
Telegram
Facebook Messenger
Like
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap