Google has discovered that at some point with Windows 10 1903 Microsoft introduced a bug into the OS which broke the sandboxes for all Chromium-based browsers.

The explanation is rather too complicated for a mere mortal, but it amounted to a one-line change in the OS code related to security token assignment.

NewToken->ParentTokenId = OldToken->TokenId;

was changed to

NewToken->ParentTokenId = OldToken->ParentTokenId;

Microsoft’s security advisory (CVE-2020-0981 | Windows Token Security Feature Bypass Vulnerability) explains it most succinctly:

A security feature bypass vulnerability exists when Windows fails to properly handle token relationships.

An attacker who successfully exploited the vulnerability could allow an application with a certain integrity level to execute code at a different integrity level, leading to a sandbox escape.

As Microsoft notes (and Google’s Project Zero discovered) the change allows hackers to escape the Chromium sandbox and runs arbitrary code.

Fortunately, Microsoft has released a patch (KB4549951) in this month’s Patch Tuesday, though we note that update is currently causing significant bugs.

Google notes that your security is only as good as your weakest link, which in this case was Windows.

Read Google’s full and detailed blog post here.

Comments