Google again has disclosed details about a security leak in Windows 8.1 after Microsoft failed to patch it. This time the disclosure of the issue by Google is remarkable because the vulnerability makes it possible to attack the sandbox of Google Chrome, Adobe Reader and other products.
The sandbox in Chrome serves as an additional security layer in case vulnerabilities in the browser are discovered. The Chrome sandbox actually depends on the underlying operating system. “While you can try and use every available security feature, sometimes the OS developer ends up subverting your efforts”, according to James Forshaw of the Google Zero Project, a team of hackers and researchers that searchers for vulnerabilities in popular software.
Forsaw notices that escaping from a sandbox usually requires several vulnerabilities that on itself might not seem serious but when put together make it possible to attack a system. Also in this case several issues combined stir trouble. Google Chrome uses a function called “job object” to enhance the security of the sandbox. Through this “job object” tasks can be grouped and the amount and type of resources that processes can use are limited. In several cases this can also be used to limit what a process can do.
With Windows 8.1 Microsoft introduced a “console driver” that can be used to circumvent these limitations. The issue itself doesn’t allow escaping from the Google Chrome sandbox, however in combination with other found bugs it can be abused to escape from it.
Google reported the issue on the 9th of December 2014 and since then Microsoft had 90 days to fix the issue. However, Microsoft already reported to Google it wouldn’t fix the bug. Forsaw understands Microsoft’s decision, he writes in the analysis of the bug, “I can understand why Microsoft would not want to fix it, it acts in this manner for backwards compatibility reasons and changing it would be difficult.”
1Nevertheless a solution is possible according to the Google researcher and meanwhile Google Chrome uses a different method to protect the sandbox that can’t be circumvented (yet).