Microsoft has disclosed the details of a remote code execution vulnerability found by its employees in the Chrome web browser. Google patched the flaw last month with the release of Chrome 61.
Microsoft’s tests initially led to the discovery of an information leak, which ultimately resulted in arbitrary code execution in the Chrome renderer process.
However, Chrome relies on sandboxing to ensure that web applications are executed in a restricted environment. This means that a second vulnerability, one that allows a sandbox escape, needs to be identified in order to take full and persistent control of a system.
Microsoft researchers wanted to determine how far they can go without finding a second vulnerability. They discovered that executing arbitrary code within a renderer process can be used to bypass the Single Origin Policy (SOP), which prevents a malicious script on one page from obtaining access to sensitive data on another web page.
“A better implementation of this kind of attack would be to look into how the renderer and browser processes communicate with each other and to directly simulate the relevant messages, but this shows that this kind of attack can be implemented with limited effort,” Microsoft said in a blog post. “While the democratization of two-factor authentication mitigates the dangers of password theft, the ability to stealthily navigate anywhere as that user is much more troubling, because it can allow an attacker to spoof the user’s identity on websites they’re already logged into.”
Microsoft researchers earned a total of $15,837 via Google’s bug bounty program for this and other vulnerabilities, an amount that they plan on donating to charity.
Microsoft also pointed out an issue with how Google releases patches for Chrome, which is based on the open-source browser project Chromium. The problem, according to Microsoft, is that source code changes that fix vulnerabilities often make it to GitHub before the actual patch is released to customers, which could give malicious actors the opportunity to exploit flaws against unprotected users.
On the other hand, Google also recently criticized Microsoft’s patch process, noting that attackers can compare patched Windows 10 builds to vulnerable builds in order to find flaws that they may be able to exploit against users of earlier versions of Windows.
Google researchers have found numerous vulnerabilities in Microsoft products in the past years, although the search giant has not always given Microsoft the opportunity to release a patch before making details public.