Google is famous for its continuous improvement efforts on Chrome browser. However, according to Forbes , a fairly serious bug has just appeared on Chrome browser that has caused Google to give up due to the cause of Windows 10 operating system.
This information was recently revealed in a post entitled “You won’t believe what a single command line did to the Chrome Sandbox”.
According to researcher James Forshaw of Project Zero of Google, in fact, Chrome’s security mechanism is completely based on the code of the Windows 10 operating system.
|Chrome’s security mechanism is based entirely on the code of Windows 10 operating system. Photo: Softpedia News.|
Forshaw also explained, a newly released Windows 10 update completely broke the Chrome security system. A line of Windows 10 code has been written in the wrong place.
“Chromium (the security mechanism to prevent the spread of an incident to other software) of Chromium (the source code for building Chrome) on Windows has actually stood up to many challenges in the past. It can be said that this is one of the good sandbox mechanisms when it can be quickly deployed without requiring high-level access from the operating system, ”Forshaw explained about Chrome’s sandbox mechanism.
“However, no matter how optimal it is, it will have its weaknesses. One of them is that the sandbox deployment is completely dependent on the security mechanism of the Windows operating system. Interfering with Windows is beyond the control of the Chromium development team. Therefore, if an error is found in the Windows security mechanism, the sandbox will be corrupted, ”Forshaw explained.
Forshaw contends that Microsoft’s Windows 10 1903 update unintentionally allowed attacks to be made within the Chrome browser itself to circumvent security mechanisms. This makes it possible to infect the Windows 10 operating system.
|The Windows 10 1903 update by Microsoft inadvertently allowed attacks to be performed within the Chrome browser itself to circumvent security mechanisms. Photo: Alamy.|
The expert later discovered that there were quite a number of vulnerabilities that could help attacks escape Chrome security.
“I hope this gives an insight into how a small change in the Windows kernel could seriously impact the security of the sandbox,” Forshaw warned.
After receiving a warning from Forshaw, Microsoft later released a patch called CVE-2020-0981 to fix it.
However, the much larger “gap” that Forshaw mentioned is still there. The security mechanism of Google Chrome browser on Windows 10 is still completely dependent on Microsoft and this is irreversible.
For the majority of users, this error can be ignored, but for those who need a high level of security, they may have to choose a different solution: either not using Chrome on Windows, or using Windows but not Chrome.