Windows Updates are known to break people’s machines in different ways, but no one ever would have guessed it could bring dark days for other apps as well.
Last week, the Google Project Zero team made a surprising disclosure (via Forbes) that how a single line of Windows code broke the sandboxing feature in Chromium, which fuels the Chrome browser.
The issue lies in an update released for Windows 10 1903 that changed the way access tokens for a process are handled in Windows, thereby allowing a potential attacker to escape Chrome’s sandbox.
Access tokens contain a Windows user account’s security identifier (SID) and privileges that are tied to a process or thread. A new access token is generated when a user logs into their system and a copy of it is provided to all the processes being executed.
Chrome’s sandboxing functionality uses a Windows feature called Restricted Token, where the access token of a process is modified to cut down on the level of permissions it can have. Here, a modification made to the Windows kernel code messed up the feature and created a security risk.
Also Read: ‘Sandboxie’ Is Now Open-Source: A Windows Utility For Sandboxing Apps
Google Project Zero researcher James Forshaw has developed an exploit to demonstrate sandbox escaping for the GPU process in Chrome, Edge, and Firefox.
The security feature bypass vulnerability, if exploited in the wild, could have compromised millions of devices across the globe as various Chromium-based web browsers rely on this technology. The list includes popular browsers such as Opera, and also Firefox which uses the sandboxing feature alone.
Thankfully, Microsoft acknowledged the problem and released a fix as part of April’s Patch Tuesday update. However, it mentioned that the exploitation of the vulnerability is less likely. Nonetheless, this has come up as an example of how a small change in the Windows OS can threaten the security of web browsers.
Meanwhile, how the code change happened remains a mystery; of course, it wasn’t intentional as Microsoft quickly issued a fix for it. It could be possible “that someone was updating the code and thought that this was a mistake and so “fixed” it,” Forshaw wrote in his blog post as he tried to guess the reason.
“Perhaps there was no comment indicating its purpose, or just the security critical nature of the single line was lost in the mists of time.”
