Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

Microsoft Details Critical Vulnerability in ChromeOS

Accepted submission by upstart at 2022-08-23 15:30:43
News

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

Microsoft details critical vulnerability in ChromeOS [theregister.com]:

Microsoft finds critical hole in operating system that for once isn't Windows Oh wow, get a load of Google using strcpy() all wrong – strcpy! Haha, you'll never ever catch us doing that Copy

Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April.

The bug [chromium.org] was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022 [googleblog.com] and detailed by Redmond in a report released on Friday.

Microsoft's write-up [microsoft.com] is noteworthy both for the severity (9.8 out of 10) of the bug and for flipping of the script – it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.

At least as far back as 2010 [theregister.com], Google security researchers made a habit of disclosing bugs in software from Microsoft and other vendors after typically 90 days [theregister.com] – even if a patch had not been released – in the interest of forcing companies to respond [theregister.com] to security flaws more quickly.

Microsoft has chided Google about this several [theregister.com]times [theregister.com] over the years, though as early as 2011, Redmond showed itself willing to adapt with a revised security disclosure policy [theregister.com] that arrived with word of Chrome vulnerabilities – albeit months after Google had fixed them.

Microsoft's disclosure of the ChromeOS critical flaw isn't a zero-day since Google made the necessary repairs. But it allows the Windows giant to magnanimously point out the problems in a competitor's hardened code and to pat Google on the back for its rapid repairs.

A critical issue

The ChromeOS memory corruption vulnerability – CVE-2022-2587 [nist.gov] – was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux.

A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.

"To the experienced security engineer, the mention of the strcpy function immediately raises red flags," explains Jonathan Bar Or. "The strcpy function is known to cause various memory corruption vulnerabilities since it doesn’t perform any bounds check and is therefore considered unsafe.

"As there are no bounds checks on the user-supplied identity argument before invoking strcpy (besides the default message length limitations for D-Bus messages), we were confident we could trigger a heap-based buffer overflow, therefore triggering a memory corruption vulnerability."

From the command line, a heap-based buffer overflow could be achieved simply by passing a 200-character string to the dbus-send utility. And with a bit more effort, it was determined that song metadata, passed to the CRAS audio handler component via the MediaSessionMetadataChanged method, could trigger the bug remotely via browser or Bluetooth.

Bar Or allows that while turning this bug into a remote code execution exploit would require heap grooming and chaining with other vulnerabilities, it's dangerous enough to justify Google's rapid response.

"We were impressed with the speed of the fix [googlesource.com] and the effectiveness of the overall process," he said.

"Within less than a week, the code was committed and, after several merges, made generally available to users. We thank the Google team and the Chromium community for their efforts in addressing the issue."

Bar Or already received thanks from Google's Vulnerability Rewards Program, which in June awarded him $25,000 [chromium.org] for the responsible disclosure of the bug. ®

Get ourTech Resources [theregister.com]ShareCopySimilar topics

  • Google
  • Linux
  • Microsoft
  • Security

Broader topics

  • Alphabet
  • Bill Gates
  • Linus Torvalds
  • Operating System
  • Search Engine

Narrower topics

  • 2FA
  • Active Directory
  • Advanced persistent threat
  • Android
  • App stores
  • Asahi Linux
  • Authentication
  • Azure
  • Bing
  • Black Hat
  • BSoD
  • Bug Bounty
  • CentOS
  • Chrome
  • Chromium
  • Common Vulnerability Scoring System
  • Cybercrime
  • Cybersecurity
  • Cybersecurity and Infrastructure Security Agency
  • Cybersecurity Information Sharing Act
  • Data Breach
  • Data Protection
  • Data Theft
  • DDoS
  • Debian
  • Digital certificate
  • Encryption
  • Excel
  • Exchange Server
  • Exploit
  • Fedora
  • Firewall
  • Google AI
  • Google Cloud Platform
  • Google Nest
  • G Suite
  • Hacker
  • Hacking
  • HoloLens
  • Identity Theft
  • Infosec
  • Internet Explorer
  • Kenna Security
  • Kubernetes
  • LinkedIn
  • Linux Foundation
  • Microsoft 365
  • Microsoft Build
  • Microsoft Edge
  • Microsoft Office
  • Microsoft Surface
  • Microsoft Teams
  • NCSC
  • .NET
  • Office 365
  • OS/2
  • Outlook
  • Palo Alto Networks
  • Password
  • Patch Tuesday
  • Phishing
  • Pluton
  • Privacy Sandbox
  • Quantum key distribution
  • Ransomware
  • Remote Access Trojan
  • REvil
  • RSA Conference
  • SharePoint
  • Skype
  • Spamming
  • Spyware
  • SQL Server
  • Surveillance
  • Tavis Ormandy
  • TLS
  • Trojan
  • Trusted Platform Module
  • Visual Studio
  • Visual Studio Code
  • Vulnerability
  • Wannacry
  • Windows
  • Windows 10
  • Windows 11
  • Windows 7
  • Windows 8
  • Windows Server
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
  • Windows Server 2013
  • Windows Server 2016
  • Windows XP
  • Xbox
  • Xbox 360
  • Zero trust

Corrections [theregister.com] Send us news [theregister.com] Other stories you might like Attention Microsoft-oriented Linux devs: .NET 6 is on Ubuntu 22.04 Linux distro announces the availability of Microsoft tooling on Jammy JellyfishDevops | [theregister.com] Microsoft trumps Google for 2021-22 bug bounty payouts Another $13.7m handed out to researchers, but then again it does have an awful lot of attack surfacesSecurity | [theregister.com] Microsoft looks beyond the US with Windows Subsystem for Android Realizes there's a big beautiful world out there and sets sail for JapanDevops | [theregister.com] You can’t choose when you’ll be hit by ransomware, but you can choose how you prepare Without a road to recovery, you’re just going to be roadkillSponsored Feature [theregister.com]Google's bug bounty boss: Finding and patching vulns? 'Totally useless' Disclosing exploits, however, will earn you $100kSecurity | [theregister.com] Businesses should dump Windows for the Linux desktop Opinion It makes perfect sense for enterprises as well as enthusiasts. Just ask GitLabSecurity | [theregister.com] Google Workspace Individual arrives in Europe It's taken Mountain View a year to refine the service for the ContinentPersonal Tech | [theregister.com] Google, Apple squash exploitable browser bugs Chrome flaw has public exploit, WebKit hole actively abused along with kernel escalationPatches | [theregister.com] Reckon Russian spies are lurking in your inbox? Check for these IOCs, Microsoft says Seaborgium targeted dozens of orgs this year aloneCSO | [theregister.com] Patch Tuesday: Yet another Microsoft RCE bug under active exploit Oh, and that critical VMware auth bypass vuln? Miscreants found it, tooSecurity | [theregister.com] Google blocks third record-breaking DDoS attack in as many months 46 million requests per second network flood comes as attacks increase by more than 200% compared to last yearCSO | [theregister.com] Microsoft tightens Edge security for less visited websites We're pretty sure that doesn't mean it's safe to click on sketchy popupsSecurity | [theregister.com] ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information [theregister.com]Cookies [theregister.com]Privacy [theregister.com]Ts&Cs [theregister.com]

Original Submission