The security feature in question is the Chromium sandbox. The sandbox should allow users to run apps and extensions is a virtual environment separate from your operating system. If the download you’re running in the sandbox contains malicious code, it won’t be able to access or infect your operating system.
It’s a very useful tool, but at some point Microsoft managed to include a “security feature bypass vulnerability” (as Microsoft itself terms it in a security advisory), which means Windows 10 failed to “properly handle token relationships”.
Essentially, what this means is that a malicious user could exploit the vulnerability and allow an application with one integrity level execute code at a different integrity level – and escape the Chromium sandbox and run code that could affect the host PC. Basically, exactly the opposite of what the sandbox is designed for.
As Google’s Project Zero team, which found this issue, notes in a blog post, “The sandbox works on the concept of least privilege by using Restricted Tokens” – and if those tokens aren’t handled correctly, your PC can be put at risk.
The whole blog post is worth reading – though it is very technical – as it explains in depth how this vulnerability works.
The fact that it affects Chrome – the most widely-used web browser in the world – is certainly worrying, even if you don’t use the sandbox feature. It shows that Microsoft’s recent problems with Windows 10 updates are affecting other developers' software as well.
It’s not just Chrome that’s been hit either, but any browser that uses the Chromium engine. Embarrassingly, that also now includes the new Microsoft Edge.
Perhaps even more embarrassingly, Microsoft has released a patch to fix the vulnerability – Windows 10 KB4549951 – but it's been discovered that that patch has been causing serious problems for some users.
We've contacted Microsoft for comment, and will update this story when we hear back.
- These are the best web browsers of 2020
Sign up for Black Friday email alerts!
Get the hottest deals available in your inbox plus news, reviews, opinion, analysis and more from the TechRadar team.
Matt is TechRadar's Managing Editor for Core Tech, looking after computing and mobile technology. Having written for a number of publications such as PC Plus, PC Format, T3 and Linux Format, there's no aspect of technology that Matt isn't passionate about, especially computing and PC gaming. Ever since he got an Amiga A500+ for Christmas in 1991, he's loved using (and playing on) computers, and will talk endlessly about how The Secret of Monkey Island is the best game ever made.