[ad_1]
Google is always improving Chrome and it recently issued to brilliant (if long overdue) upgrade. That said, there have also been some recent controversial changes, security problems and data concerns and now Google has detailed a serious new problem in Chrome which cannot be fixed. The result is users may find themselves forced to choose between Windows 10 and Chrome.
Google researchers have revealed a flaw in Chrome which cannot be fixed
In a fascinating post Titled ‘You Won’t Believe what this One Line Change Did to the Chrome Sandbox’, Google’s Project Zero researcher James Forshaw revealed that Chrome is entirely reliant on the code of Windows 10 to stay secure. Moreover, Forshaw explains a new Windows 10 update recently broke through Chrome’s security with just a single line of misplaced code. Given Windows 10’s appalling recent update record, that’s not reassuring for either browser or platform.
The Chromium sandbox [a security mechanism to stop failures from spreading to other software] on Windows has stood the test of time, ”Forshaw explains. “It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS. Changing the behavior of Windows is out of the control of the Chromium development team. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break. ”
And that’s exactly what happened. Forshaw states that Microsoft introduced to Windows 10 1903 update that enables online attacks conducted in the Chrome browser to break its security and spread into Windows itself. I have subsequently found multiple ways to escape Chrome’s security. In outlining the different options, I warned: “I hope this gives an insight into how such a small change in the Windows kernel can have a disproportionate impact on the security of a sandbox environment.”
The good news is Forshaw alerted Microsoft to the problem and the company issued a patch (CVE-2020-0981) to fix it. That said, the fundamental flaw Forshaw identified still remains: the security of Google Chrome on Windows 10 depends on Microsoft and that cannot be changed.
Perhaps working against Windows, is the fact that other Chromium-based browsers suffer the same risk, and that means you may instead be tempted to quit Windows 10 rather than Chrome / Chromium browsers if you are wedded to one variant, in particular, and understandably concerned about Microsoft’s look and shaky update record.
All of which means fundamental Windows 10 update improvements are more important than ever.
___
Follow Gordon on Facebook
More On Forbes
Google’s New Tab Groups Reinvigorate Chrome Browser
Massive Changes Tipped For Microsoft Windows 10 Upgrades
Google Confirms Serious Chrome Browser Vulnerabilities, Issues Important Fix
