Stories
Slash Boxes
Comments

SoylentNews is people

Microsoft Details Critical Vulnerability in ChromeOS

posted by janrinok on Thursday August 25 2022, @01:21PM   Printer-friendly
from the here's-back-at-ya! dept.

upstart writes:

Microsoft details critical vulnerability in ChromeOS:

Microsoft finds critical hole in operating system that for once isn't Windows Oh wow, get a load of Google using strcpy() all wrong – strcpy! Haha, you'll never ever catch us doing that

Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April.

The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022 and detailed by Redmond in a report released on Friday.

Microsoft's write-up is noteworthy both for the severity (9.8 out of 10) of the bug and for flipping of the script – it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.

At least as far back as 2010, Google security researchers made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days – even if a patch had not been released – in the interest of forcing companies to respond to security flaws more quickly.

[...] The ChromeOS memory corruption vulnerability – CVE-2022-2587 – was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux.

A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.

"To the experienced security engineer, the mention of the strcpy function immediately raises red flags," explains Jonathan Bar Or. "The strcpy function is known to cause various memory corruption vulnerabilities since it doesn't perform any bounds check and is therefore considered unsafe.

[...] Bar Or already received thanks from Google's Vulnerability Rewards Program, which in June awarded him $25,000 for the responsible disclosure of the bug.

Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Microsoft Details Critical Vulnerability in ChromeOS | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by crotherm on Thursday August 25 2022, @06:37PM

    by crotherm (5427) on Thursday August 25 2022, @06:37PM (#1268428)

    I laughed when I saw "strcpy". For some reason it reminded me of my first C book not K&R, some red book, Learning C or some such. No mention of system(2) calls, nor really unix for that matter. Turbo C FTW!