News

Google Downplays 'Sandbox' Vulnerability Flaw

A newly discovered hole in Google Chrome's built-in sandbox protection could lead to a remote code execution, according to Acros Security.

The Slovenia-based security firm outlined the vulnerability in an e-mail sent to Google Chrome's developer team at the end of September. In it, the company outlined how a hidden configuration file could be uploaded by an attacker to bypass the security features of the Chrome sandbox.

"It is another case of file planting, where an application loads a data file (as opposed to binary file, leading to binary planting) from the current working directory," wrote Acros, in a blog posting. "Similarly to our previously reported file planting in Java Runtime Environment...Chrome loads a data file, namely pkcs11.txt, from the root of the current working directory and in case the file exists, parses and processes its content."

In a response to the vulnerability disclosure, Google said the issue is actually not a "security bug" due to the fact that it would be extremely difficult to pull off. "The preconditions to exploit this are too stretched: non-default browser configuration, freshly started browser, ability to get someone to load a file from your share (which means either being on the same internal network, or somehow getting them to mount a WebDAV share)," wrote Google.

Additionally, some of the preconditions that must be present for a successful exploit include having the Chrome's default browser set to Google, a potential victim cannot visit any other Web site that sends HTTPS requests before the malicious data file is downloaded and installed, and Chrome's working directory must be set to a controlled location for it to work.

While Google has notified other browser companies of this issue, including Mozilla, it said it has no plans to fix the issue due to its low risk level. Google summed up its position with the following statement: "Strange behavior, but we're not treating this as a security bug."

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Office Mobile Apps To End as Microsoft Highlights New Office App

    Microsoft plans to end support for Windows 10 Mobile applications on Jan. 12, 2021, according to a Friday announcement.

  • Is Microsoft Finally Reinventing Office?

    Microsoft is testing out a new technology called "Fluid Framework." It could mean that Brien's dream of one Office app to rule them all might soon become reality.

  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.