How one line of code change in Windows allowed Chrome sandbox hacking

Sometimes, security bug fixes create other system issues that should improve. Experts in vulnerability assessment mentioned that a Windows 10 kernel flaw allows you to bypass the system sandbox, which limits browser processes to prevent a potentially malicious file from running on the target system. This vulnerability was introduced in the 1903 version of Windows, released in May 2019.

“While this environment has its advantages, it also has several drawbacks. The main one is that their deployment depends on the security of the Windows system,” explains a security alert from Google’s Project Zero. If an error is found in the Windows security mechanisms, the sandbox might collapse.”

According to the vulnerability assessment experts, this was precisely what happened after a security token feature bypassed the vulnerability in the Windows 10 kernel that was leaked in last year’s update. This update broke with some of the security premises that Chromium developers trusted to protect the browser sandbox. 

Prior to this update, you were given restricted access to new sandbox processes to block write access, as this could allow a threat actor to compromise other areas of the system. After the inclusion of Windows version 1903, this process stopped working as expected.

“The update created a vulnerability to bypass these security features, so Windows was unable to properly handle token relationships,” a Microsoft report mentions. If a threat actor exploits the vulnerability, it could allow an application to run code, which would trigger a sandbox leak. Project Zero’s vulnerability assessment specialists proved able to use this vulnerability to create a chain of execution to escape the Chrome sandbox.

Escaping the Chrome sandbox also requires exploiting other attack variants; It is worth mentioning that, by themselves, these flaws are not enough to complete this attack in Windows 10 1903. 

The International Institute of Cyber Security (IICS) mentions that this is an indicator of everything that can alter a small modification in the Windows kernel. In addition, this case demonstrates the functionality of exploit mitigations around the behaviors of a security environment such as sandbox.