cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

General Discussions

kingfish
MVP
‎05-27-2020 02:43 PM

A New Windows 10 Update Just Compromised Google Chrome

Considering all the posts about issues with Chrome.........

Google is always improving Chrome and it recently issued a brilliant (if long overdue) upgrade. Unfortunately, now Google has detailed a serious new problem in Chrome which cannot be fixed, and it's all down to Windows 10.  

Edit: James Forshaw has clarified that Firefox is impacted the same way because it uses the Chromium sandbox which Mozilla confirms. The result is Forshaw's research exposes a vulnerability for the sandbox of all major browsers to updates in Windows 10. I have followed this up with Firefox, Opera, Brave and Microsoft and will update when I have more information.

04/25 Update: More information about this issue has today been provided by Opera Product Security Manager Cezary Cerekwicki. "Opera is a Chromium-powered browser and uses its sandboxing mechanisms. The browser security sandboxing is dependent on the operating system’s features and security," he explained, confirming that Opera was affected. "Kernel-level bugs can impact every application running on the operating system. Chromium sandboxing is considered state-of-the-art, however, similar to any sandboxing, it relies on the lower levels of stacks to work properly. It’s important for every user to keep their operating system and application up to date in order to keep their computer environment as safe as possible." Of course, the challenge for any Windows 10 user, right now, is tracking which updates cause more problems than they fix. The ball is in your court, Microsoft.

04/26 Update: There is further information on this exploit which Firefox users need to take seriously. Expanding on his report, Forshaw states reiterates that "the same flaw because FF uses the Chromium sandbox," but notes that: "If anything FF is in a worse position as they process more untrusted content inside that sandbox than Chrome does."

Explaining his decision not to focus more centrally on Firefox in his initial report, Forshaw explains: "I wasn't trying to throw them under a bus, it's not their fault that Windows is broken. However, I wouldn't mention them flippantly, without having the knowledge to back it up." I have put Forshaw's points to Firefox for a response.

In a fascinating post titled ‘You Won't Believe what this One Line Change Did to the Chrome Sandbox’, Google’s Project Zero researcher James Forshaw revealed that Chrome is entirely reliant on the code of Windows 10 to stay secure. Moreover, Forshaw explains a new Windows 10 update recently broke through Chrome’s security with just a single line of misplaced code. Given Windows 10’s appalling recent update record, that’s not reassuring for either browser or platform. 

“The Chromium sandbox [a security mechanism to stop failures from spreading to other software] on Windows has stood the test of time,” Forshaw explains. “It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS. Changing the behavior of Windows is out of the control of the Chromium development team. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break.”

And that’s exactly what happened. Forshaw states that Microsoft introduced a Windows 10 1903 update that enables online attacks conducted in the Chrome browser to break its security and spread into Windows itself. He subsequently found multiple ways to escape Chrome’s security. In outlining the different options, he warned: “I hope this gives an insight into how such a small change in the Windows kernel can have a disproportionate impact on the security of a sandbox environment.”

The good news is Forshaw alerted Microsoft to the problem and the company issued a patch (CVE-2020-0981) to fix it. That said, the fundamental flaw Forshaw identified remains: the security of Google Chrome on Windows 10 depends on Microsoft and that cannot be changed. 

It's important to point out that other Chromium-based browsers suffer the same risk (Opera, Brave, Microsoft's new Edge browser), and that means you may be tempted to quit Windows 10 if you are more wedded to your browser than your operating system.

If you prefer to stay put, one ray of light is a recent tip-off that Microsoft might be making fundamental changes to Windows 10 updates but, for now, users have a decision to make.

A New Windows 10 Update Just Compromised Google Chrome 

3 Replies
black_zion
MVP
‎05-28-2020 07:53 AM

Wouldn't this also affect Edge since it was switched to the Chromium base?

On another note, it seems that Windows 10 was not the "last version of Windows", due to Windows 10X having to be an entirely new OS,

And a final note...God help us if Microsoft doesn't fix the Microsoft Store before they move to individual feature downloads from it. Downloads are so slow it's insane...

0 Likes
pokester
In response to black_zion
MVP
‎06-02-2020 02:16 PM

I would sure think it would affect any browser as they all run in the Windows 10 sandbox. 

It is absolutely insane, how much stuff Microsoft is breaking. 

In my over 4 decades as an IT professional I have never seen things this bad. 

In this day there literally isn't anything more important than browser security and they can't get that right. 

0 Likes
black_zion
In response to pokester
MVP
‎06-02-2020 04:25 PM

What gets me about Windows 10 updates is the amount of items which are broken which apparently have nothing to do with anything they targeted. KB4556799 and KB4552931, for example, caused issues like weird large fonts being used as the system default, and there's been similar stories for most every update since Windows 10 was released...