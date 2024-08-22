from the here's-back-at-ya! dept.
Microsoft details critical vulnerability in ChromeOS:
Microsoft finds critical hole in operating system that for once isn't Windows Oh wow, get a load of Google using strcpy() all wrong – strcpy! Haha, you'll never ever catch us doing that
Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April.
The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022 and detailed by Redmond in a report released on Friday.
Microsoft's write-up is noteworthy both for the severity (9.8 out of 10) of the bug and for flipping of the script – it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.
At least as far back as 2010, Google security researchers made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days – even if a patch had not been released – in the interest of forcing companies to respond to security flaws more quickly.
[...] The ChromeOS memory corruption vulnerability – CVE-2022-2587 – was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux.
A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.
"To the experienced security engineer, the mention of the strcpy function immediately raises red flags," explains Jonathan Bar Or. "The strcpy function is known to cause various memory corruption vulnerabilities since it doesn't perform any bounds check and is therefore considered unsafe.
[...] Bar Or already received thanks from Google's Vulnerability Rewards Program, which in June awarded him $25,000 for the responsible disclosure of the bug.