Google Just Gave Millions Of Users A Reason To Quit Chrome, Windows 10 - Forbes
Google is always improving Chrome and it recently issued a brilliant (if long overdue) upgrade. Unfortunately, now Google has detailed a serious new problem in Chrome which cannot be fixed, and it's all down to Windows 10.MORE FROM FORBESGoogle's New Tab Groups Reinvigorate Chrome BrowserBy Gordon Kelly
Edit: James Forshaw has clarified that Firefox is impacted the same way because it uses the Chromium sandbox which Mozilla confirms. The result is Forshaw's research exposes a vulnerability for the sandbox of all major browsers to updates in Windows 10. I have followed this up with Firefox, Opera, Brave and Microsoft and will update when I have more information.
In a fascinating post titled ‘You Won't Believe what this One Line Change Did to the Chrome Sandbox’, Google’s Project Zero researcher James Forshaw revealed that Chrome is entirely reliant on the code of Windows 10 to stay secure. Moreover, Forshaw explains a new Windows 10 update recently broke through Chrome’s security with just a single line of misplaced code. Given Windows 10’s appalling recent update record, that’s not reassuring for either browser or platform.
“The Chromium sandbox [a security mechanism to stop failures from spreading to other software] on Windows has stood the test of time,” Forshaw explains. “It’s considered one of the better sandboxing mechanisms deployed at scale without requiring elevated privileges to function. For all the good, it does have its weaknesses. The main one being the sandbox’s implementation is reliant on the security of the Windows OS. Changing the behavior of Windows is out of the control of the Chromium development team. If a bug is found in the security enforcement mechanisms of Windows then the sandbox can break.”
And that’s exactly what happened. Forshaw states that Microsoft introduced a Windows 10 1903 update that enables online attacks conducted in the Chrome browser to break its security and spread into Windows itself. He subsequently found multiple ways to escape Chrome’s security. In outlining the different options, he warned: “I hope this gives an insight into how such a small change in the Windows kernel can have a disproportionate impact on the security of a sandbox environment.”
The good news is Forshaw alerted Microsoft to the problem and the company issued a patch (CVE-2020-0981) to fix it. That said, the fundamental flaw Forshaw identified remains: the security of Google Chrome on Windows 10 depends on Microsoft and that cannot be changed.
It's important to point out that other Chromium-based browsers suffer the same risk (Opera, Brave, Microsoft's new Edge browser), and that means you may tempted to quit Windows 10 if you are more wedded to your browser than your operating system.
If you prefer to stay put, one ray of light is a recent tip-off that Microsoft might be making fundamental changes to Windows 10 updates but, for now, users have a decision to make.
Follow Gordon on Facebook
More On Forbes