István Kurucsai, security researcher for Exodus Intelligence, has published proof-of-concept code for a vulnerability in Google Chrome that has not yet been plugged. The researcher wants to show that there are problems with Google’s patch process.
The vulnerability – a remote code execution error that allows an attacker to run code on a user’s system – has already been plugged in V8, Chrome’s JavaScript engine, but is not yet in the stable version of the browser, V73. It is estimated that over a billion people use this browser.
The vulnerability itself is reasonably harmless in its current form, writes ZDNet. The error has no sandbox escape vulnerability to be a full exploit chain, and to be able to run code on the underlying operating system. Attackers may, however, use older sandbox escape errors in Chrome along with the current error, to attack users of Chrome without a patch.
Problems in process
With the proof-of-concept, Kurucsai wanted to demonstrate that there are problems in the Google patch process. This process has a short period of time in which cybercriminals can develop Chrome exploits and attack users. That gap comes from Chrome’s IT supply chain, which includes importing and testing code from various open source projects.
In this case, Google engineers solved a V8 security problem on March 18, which later became known in the changelog of the V8 project and in the source code. However, the solution was not in the Chrome Stable release. At this moment the patch travels through the channels of Chrome, where it has to be integrated in the Chromium open source project and then integrated in the Chrome codebase.
It is then tested in Chrome Canary and Chrome Beta releases, before entering the last Stable branch in the form of a patch. “Although security solutions are readily available in the source tree, as a result of this open source development model, they need time to be tested in Chrome’s unstable release channels before they can be pushed through the auto-update mechanism as part of a stable release,” says Kurucsai.
“As a result, there is a short moment of a few days, sometimes even weeks, in which vulnerability details are practically made public, while most users are still vulnerable and are unable to get a patch.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.
1 day ago
