Google has revealed a Windows 10 build released by Microsoft caused all sandboxes across Chromium-based browsers to break. That means Google's own Chrome and Microsoft's Edge browsers are affected by the bug.
Specifically, the vulnerability was introduced with Windows 10 1903 (May 2019 Update). In a blog post, Google explains the flaw in excruitiating detail. However, the problem boils down to a single line change in the OS code of Windows 10 and how it relates to a security token.
NewToken->ParentTokenId = OldToken->TokenId; was changed to NewToken->ParentTokenId = OldToken->ParentTokenId.
Google's Project Zero blog title, “You Won't Believe what this One Line Change Did to the Chrome Sandbox” is apt because that line change caused some significant problems for Chromium sandboxes. For example, it allows attackers to bypass sandboxes in Edge and Chrome.
By escaping the sandbox, bad actors can run arbitrary code on a system. Microsoft confirmed the problem previously with a security advisory (CVE-2020-0981 | Windows Token Security Feature Bypass Vulnerability). Redmond provided a more standard explanation of the problem:
“A security feature bypass vulnerability exists when Windows fails to properly handle token relationships.
An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape.”
Google says mitigations it has in place to prevent hackers leaving Chromium sandboxes depend on Windows being secure. Microsoft released a patch (KB4549951) in this month's Patch Tuesday. However, you may remember that Patch Tuesday release has brought its own problems.
Users report Windows 10 KB4549951 update is throwing up error messages when it is installed. Interestingly, Microsoft has yet to confirm this problem and include it as a known issue. Even once the error messages are closed, KB4549951 is causing some serious problems.
Among them are broken connectivity through WiFi and Bluetooth. More concerning for users are automatic blue screen of death (BSOD) shutdowns. Some users are also complaining about reduced PC performance.
Users are advised to not install this patch for the time being, meaning their browsers could be vulnerable.