The good news is Forshaw alerted Microsoft to the problem and the company issued a patch ( CVE-2020-0981 ) to fix it. In outlining the different options, he warned: “I hope this gives an insight into how such a small change in the Windows kernel can have a disproportionate impact on the security of a sandbox environment.” He subsequently found multiple ways to escape Chrome’s security. Forshaw states that Microsoft introduced a Windupdate that enables online attacks conducted in the Chrome browser to break its security and spread into Windows itself. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break.”Īnd that’s exactly what happened. Changing the behavior of Windows is out of the control of the Chromium development team. The main one being the sandbox’s implementation is reliant on the security of the Windows OS. For all the good, it does have its weaknesses. “It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. “The Chromium sandbox on Windows has stood the test of time,” Forshaw explains. Given Windows 10’s appalling recent update record, that’s not reassuring for either browser or platform. Moreover, Forshaw explains a new Windows 10 update recently broke through Chrome’s security with just a single line of misplaced code. In a fascinating post titled ‘You Won't Believe what this One Line Change Did to the Chrome Sandbox’, Google’s Project Zero researcher James Forshaw revealed that Chrome is entirely reliant on the code of Windows 10 to stay secure. However, I wouldn't mention them flippantly, without having the knowledge to back it up." I have put Forshaw's points to Firefox for a response. Explaining his decision not to focus more centrally on Firefox in his initial report, Forshaw explains: "I wasn't trying to throw them under a bus, it's not their fault that Windows is broken.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |