[ad_1]
04/25 Update below. This post was originally published on April 23.
Google is always improving Chrome and recently issued a brilliant update (if a long time ago). Unfortunately, Google has now detailed a serious new problem in Chrome that can’t be fixed, and it all boils down to Windows 10.
Edit: James Forshaw has clarified that Firefox is affected in the same way because it uses the Chromium sandbox that Mozilla confirms. The result is that Forshaw’s research exposes a vulnerability for the sandbox of all major browsers to updates in Windows 10. I have followed this up with Firefox, Opera, Brave and Microsoft and will update when I have more information.
04/25 Update: More information on this topic has been provided today by Product Safety Manager at Opera Cezary Cerekwicki. “Opera is a browser with Chromium and uses its sandboxing mechanisms. Browser security sandboxing depends on the characteristics and security of the operating system,” he explained, confirming that Opera was affected. “Kernel-level errors can affect all applications running on the operating system. Chrome sandboxing is considered next-generation, however, similar to any sandboxing, it relies on the lowest battery levels to run. Properly. It is important for each user to keep their operating system and applications updated to keep their computer environment as safe as possible. ” Of course, the challenge for any Windows 10 user, right now, is to track which updates cause more problems than they fix. The ball is in your court, Microsoft.
in a fascinating post Entitled “You Won’t Believe What This One Line Change Did To The Chrome Sandbox,” Google Project Zero researcher James Forshaw revealed that Chrome relies entirely on Windows 10 code to stay safe. Additionally, Forshaw explains that a new Windows 10 update recently broke Chrome security with a single line of code out of place. Given Windows 10 appalling recent to update RecordThis is not reassuring for the browser or the platform.
“Chrome sandbox [a security mechanism to stop failures from spreading to other software] on Windows it has stood the test of time, “explains Forshaw.” It is considered one of the best sandboxing mechanisms implemented at scale without requiring elevated privileges to function. For all the good, it has its weaknesses. The main one is that the implementation of the sandbox depends on the security of the Windows operating system. Changing Windows behavior is beyond the control of the Chromium development team. If an error is found in Windows security mechanisms, the sandbox may break. “
And that is exactly what happened. Forshaw claims that Microsoft introduced a Windows 10 1903 update that allows online attacks made in the Chrome browser to break its security and spread to Windows itself. He subsequently found multiple ways to escape Chrome security. Describing the different options, he cautioned, “I hope this gives you an idea of how such a small change in the Windows kernel can have a disproportionate impact on the security of a sandbox environment.”
The good news is Forshaw alerted Microsoft to the problem and the company released a patch (CVE-2020-0981) fix it. That said, the fundamental flaw identified by Forshaw remains: Google Chrome security on Windows 10 depends on Microsoft and that cannot be changed.
It is important to note that other Chromium based browsers are at the same risk (Opera, Brave, Microsoft’s new Edge browser), and that means you may be tempted to exit Windows 10 if you are more connected to your browser than to your operating system.
If you prefer to stay, a ray of light is a recent warning that Microsoft may be making Fundamental changes in Windows 10 updates But, for now, users have a choice to make.
___
Follow Gordon on Facebook
More about Forbes
New Google tab groups revitalize Chrome browser
Massive changes proposed for Microsoft Windows 10 updates
Google confirms serious vulnerabilities in the Chrome browser, issues a major solution