Google has revealed that Microsoft managed to break an important security feature in all Chromium-based web browsers, including Chrome, with its Windows 10 1903 update.
The security feature in question is the Chromium sandbox. The sandbox should allow users to run apps and extensions is a virtual environment separate from your operating system. If the download you’re running in the sandbox contains malicious code, it won’t be able to access or infect your operating system.
It’s a very useful tool, but at some point Microsoft managed to include a “security feature bypass vulnerability” (as Microsoft itself terms it in a security advisory (opens in new tab)), which means Windows 10 failed to “properly handle token relationships”.
Essentially, what this means is that a malicious user could exploit the vulnerability and allow an application with one integrity level execute code at a different integrity level – and escape the Chromium sandbox and run code that could affect the host PC. Basically, exactly the opposite of what the sandbox is designed for.
As Google’s Project Zero team, which found this issue, notes in a blog post (opens in new tab), “The sandbox works on the concept of least privilege by using Restricted Tokens” – and if those tokens aren’t handled correctly, your PC can be put at risk.
The whole blog post is worth reading – though it is very technical – as it explains in depth how this vulnerability works.
The fact that it affects Chrome – the most widely-used web browser in the world – is certainly worrying, even if you don’t use the sandbox feature. It shows that Microsoft’s recent problems with Windows 10 updates are affecting other developers' software as well.
It’s not just Chrome that’s been hit either, but any browser that uses the Chromium engine. Embarrassingly, that also now includes the new Microsoft Edge.
Perhaps even more embarrassingly, Microsoft has released a patch to fix the vulnerability – Windows 10 KB4549951 – but it's been discovered that that patch has been causing serious problems for some users.
We've contacted Microsoft for comment, and will update this story when we hear back.
- These are the best web browsers of 2020