Google has had a tough time, of late. From the WPA2 vulnerability that affected almost half of all Android devices, which the company says will be fixed in the coming weeks, to a Maps goof up that led to people accusing the company of fat-shaming women, on social media. Now, Microsoft has revealed a few exploits in Google's prized browser, Chrome.
First, some background. A few days ago, Google criticized Microsoft for its patching policies and blamed the company for putting Windows 7 users "at risk". The Redmond company's Offensive Security Research (OSR) has now hit back at the company by publishing a remote code execution exploit in Chrome. The bug has been assigned CVE-2017-5121.
Their findings included:
- Our discovery of CVE-2017-5121 indicates that it is possible to find remotely exploitable vulnerabilities in modern browsers
- Chrome’s relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one
- Several security checks being done within the sandbox result in RCE exploits being able to, among other things, bypass Same Origin Policy (SOP), giving RCE-capable attackers access to victims’ online services (such as email, documents, and banking sessions) and saved credentials
- Chrome’s process for servicing vulnerabilities can result in the public disclosure of details for security flaws before fixes are pushed to customers
Google acknowledged the vulnerability and awarded the team a bounty of $15,837 for this exploit and other bugs that the team found but didn't exploit. The amount was matched by the search giant and donated to a charity of Microsoft's choosing- Denise Louie Education Center. Interestingly, Edge was found to be more resilient against phishing attacks than Chrome recently.