One of Microsoft’s Windows 10 updates was so bad it broke Google Chrome
And other Chromium browsers
Google has revealed that Microsoft managed to break an important security feature in all Chromium-based web browsers, including Chrome, with its Windows 10 1903 update.
The security feature in question is the Chromium sandbox. The sandbox should allow users to run apps and extensions is a virtual environment separate from your operating system. If the download you’re running in the sandbox contains malicious code, it won’t be able to access or infect your operating system.
It’s a very useful tool, but at some point Microsoft managed to include a “security feature bypass vulnerability” (as Microsoft itself terms it in a security advisory), which means Windows 10 failed to “properly handle token relationships”.
In English?
Essentially, what this means is that a malicious user could exploit the vulnerability and allow an application with one integrity level execute code at a different integrity level – and escape the Chromium sandbox and run code that could affect the host PC. Basically, exactly the opposite of what the sandbox is designed for.
As Google’s Project Zero team, which found this issue, notes in a blog post, “The sandbox works on the concept of least privilege by using Restricted Tokens” – and if those tokens aren’t handled correctly, your PC can be put at risk.
The whole blog post is worth reading – though it is very technical – as it explains in depth how this vulnerability works.
The fact that it affects Chrome – the most widely-used web browser in the world – is certainly worrying, even if you don’t use the sandbox feature. It shows that Microsoft’s recent problems with Windows 10 updates are affecting other developers' software as well.
Get daily insight, inspiration and deals in your inbox
Sign up for breaking news, reviews, opinion, top tech deals, and more.
It’s not just Chrome that’s been hit either, but any browser that uses the Chromium engine. Embarrassingly, that also now includes the new Microsoft Edge.
Perhaps even more embarrassingly, Microsoft has released a patch to fix the vulnerability – Windows 10 KB4549951 – but it's been discovered that that patch has been causing serious problems for some users.
We've contacted Microsoft for comment, and will update this story when we hear back.
- These are the best web browsers of 2020
Matt is TechRadar's Managing Editor for Core Tech, looking after computing and mobile technology. Having written for a number of publications such as PC Plus, PC Format, T3 and Linux Format, there's no aspect of technology that Matt isn't passionate about, especially computing and PC gaming. He’s personally reviewed and used most of the laptops in our best laptops guide - and since joining TechRadar in 2014, he's reviewed over 250 laptops and computing accessories personally.