04/26 Update below. This post was originally published on April 23
Google is always improving Chrome and it recently issued a brilliant (if long overdue) upgrade. Unfortunately, now Google has detailed a serious new problem in Chrome which cannot be fixed, and it’s all down to Windows 10.
Edit: James Forshaw has clarified that Firefox is impacted the same way because it uses the Chromium sandbox which Mozilla confirms. The result is Forshaw’s research exposes a vulnerability for the sandbox of all major browsers to updates in Windows 10. I have followed this up with Firefox, Opera, Brave and Microsoft and will update when I have more information.
04/25 Update: More information about this issue has today been provided by Opera Product Security Manager Cezary Cerekwicki. “Opera is a Chromium-powered browser and uses its sandboxing mechanisms. The browser security sandboxing is dependent on the operating system’s features and security,” he explained, confirming that Opera was affected. “Kernel-level bugs can impact every application running on the operating system. Chromium sandboxing is considered state-of-the-art, however, similar to any sandboxing, it relies on the lower levels of stacks to work properly. It’s important for every user to keep their operating system and application up to date in order to keep their computer environment as safe as possible.” Of course, the challenge for any Windows 10 user, right now, is tracking which updates cause more problems than they fix. The ball is in your court, Microsoft.
04/26 Update: There is further information on this exploit which Firefox users need to take seriously. Expanding on his report, Forshaw states reiterates that “the same flaw because FF uses the Chromium sandbox,” but notes that: “If anything FF is in a worse position as they process more untrusted content inside that sandbox than Chrome does.”
Explaining his decision not to focus more centrally on Firefox in his initial report, Forshaw explains: “I wasn’t trying to throw them under a bus, it’s not their fault that Windows is broken. However, I wouldn’t mention them flippantly, without having the knowledge to back it up.” I have put Forshaw’s points to Firefox for a response.
In a fascinating post titled ‘You Won’t Believe what this One Line Change Did to the Chrome Sandbox’, Google’s Project Zero researcher James Forshaw revealed that Chrome is entirely reliant on the code of Windows 10 to stay secure. Moreover, Forshaw explains a new Windows 10 update recently broke through Chrome’s security with just a single line of misplaced code. Given Windows 10’s appalling recent update record, that’s not reassuring for either browser or platform.
“The Chromium sandbox [a security mechanism to stop failures from spreading to other software] on Windows has stood the test of time,” Forshaw explains. “It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS. Changing the behavior of Windows is out of the control of the Chromium development team. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break.”
And that’s exactly what happened. Forshaw states that Microsoft introduced a Windows 10 1903 update that enables online attacks conducted in the Chrome browser to break its security and spread into Windows itself. He subsequently found multiple ways to escape Chrome’s security. In outlining the different options, he warned: “I hope this gives an insight into how such a small change in the Windows kernel can have a disproportionate impact on the security of a sandbox environment.”
The good news is Forshaw alerted Microsoft to the problem and the company issued a patch (CVE-2020-0981) to fix it. That said, the fundamental flaw Forshaw identified remains: the security of Google Chrome on Windows 10 depends on Microsoft and that cannot be changed.
It’s important to point out that other Chromium-based browsers suffer the same risk (Opera, Brave, Microsoft’s new Edge browser), and that means you may be tempted to quit Windows 10 if you are more wedded to your browser than your operating system.
If you prefer to stay put, one ray of light is a recent tip-off that Microsoft might be making fundamental changes to Windows 10 updates but, for now, users have a decision to make.
Follow Gordon on Facebook
More On Forbes
Google’s New Tab Groups Reinvigorate Chrome Browser
Massive Changes Tipped For Microsoft Windows 10 Upgrades
Google Confirms Serious Chrome Browser Vulnerabilities, Issues Important Fix