HomeTech NewsCybersecurityWindows 10 introduced a bug that destroyed the security of Google Chrome

Windows 10 introduced a bug that destroyed the security of Google Chrome

Published on

- Advertisement -

windows 10 chrome

Every month Microsoft releases security patches for Windows 10 with which to fix vulnerabilities in the operating system. Fixed vulnerabilities are usually numbered in the tens, but with each new change other bugs are introduced as well. Now, there has been one that allowed hack Google Chrome because of Microsoft.

This failure has nothing to do with the one that Google itself patched this week in Chrome, which was a critical vulnerability that allowed access to the memory released by the browser. However, the effect of both vulnerabilities is similar, since it allowed breaking the isolation that all programs have on the system.

Google discovers that Chrome has not been safe in Windows 10 for a year

- Advertisement -

The flaw was present in the Windows 10 kernel and allowed skipping the Google Chrome sandbox. The fault was discovered by Project zero, the team of researchers from Google itself, and claim that the failure was introduced in Windows 10 May 2019 Update (1903).

The sandbox It is a secure environment that isolates the programs we run in the operating system from interacting with other programs without user permission. As a result, if a hacker takes control of a program, he cannot access another to steal passwords or other information.

The security of the sandbox of each program depends on the security of Windows 10. However, when introducing a bug in Windows, all protection measures are useless. And that’s what happened with last year’s May update. Before it, new processes had restricted access to resources to block write access, as that would give an attacker permission to make modifications to other areas of the operating system by writing files or registry keys.

Microsoft has already fixed the bug in the last Patch Tuesday

After the May 2019 Update, a bug caused an attacker to be able to cause an application with a certain level of integrity to run code at a different level of integrity, potentially skipping the sandbox. Google demonstrated that it was possible to bypass isolation in Chrome to make modifications. They also used other known vulnerabilities in Windows 10 to bypass it even more easily.

- Advertisement -

Thus, the final execution chain takes almost 20 steps to exit the browser, but as you can see in the diagram it is possible to do it. The security breach has been dubbed CVE-2020-0981 and it was patched by Microsoft on the April Patch Tuesday, released on April 14. If you are up to date with updates, you will already be protected from the vulnerability.

This vulnerability shows that any small change made to the operating system must be thoroughly analyzed. The shorter paths out of the sandbox had mitigations, but this complex new path did not. At the moment it is not known how the error was introduced in the operating system, but it could be that someone updated the code believing that it was an error.

- Advertisement -

Latest articles

What the FTC wants from Martin Shkreli and his company Druglike

Less than a year after being released from prison, Martin Shkreli is back in...

Samsung’s Galaxy Bauds 2 are $55 off right now

All products recommended by Engadget are selected by our editorial team, independent of our...

More like this