Windows 10 update weakened Google Chrome's security

[LASER_oneXM]

Content source

https://www.bleepingcomputer.com/news/security/window-10-update-weakened-google-chromes-security/

A Windows 10 kernel bug made it possible to escape Google Chrome's sandbox, a security researcher with Google Project Zero found. The vulnerability was introduced with version 1903 of the operating system on May 21, 2019.

Google Chrome's sandbox is a secure environment that downgrades browser processes to low permissions and cuts them from the rest of the system to prevent damage if hijacked by a malicious actor.

"For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS," James Forshaw, a security researcher in Google's Project Zero team of zero-day hunters explained.

"Changing the behavior of Windows is out of the control of the Chromium development team. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break."
... ...

 

[ForgottenSeer 85179]

This was just a friendly reminder to Google that they better don't block/ discriminate Edge in future again

 

[Antus67]

"Quote" The vulnerability was introduced with version 1903 of the operating system on May 21, 2019. What's wrong with this picture its taken up till now to discover this exploit??? This bug should have been detected long time ago

 

[Azure]

"Quote" The vulnerability was introduced with version 1903 of the operating system on May 21, 2019. What's wrong with this picture its taken up till now to discover this exploit??? This bug should have been detected long time ago

Look at the comment section in that article. Someone says it's already fixed.

 

[shmu26]

This was just a friendly reminder to Google that they better don't block/ discriminate Edge in future again

The bug probably affected all Chromium-based browsers, and that includes the new Edge.

Look at the comment section in that article. Someone says it's already fixed.

Right. "The security feature bypass vulnerability is being tracked as CVE-2020-0981 and it was patched by Microsoft as part of the April 2020 Patch Tuesday. "
We can be sure that the Google team would not have publicized a bug in their own product, if it wasn't already patched.

"Quote" The vulnerability was introduced with version 1903 of the operating system on May 21, 2019. What's wrong with this picture its taken up till now to discover this exploit??? This bug should have been detected long time ago

It is common for bugs to be discovered after years and years. And there are surely a lot more that have not been discovered yet. It's like finding a needle in a haystack. But the bad actors also have a hard time finding the bugs, so it's a "fair" game.