Microsoft has described a serious ChromeOS security vulnerability that one of its researchers reported to Google in late April.
Wrong it was fixed immediately and about a month later it was merged into the ChromeOS code and released June 15, 2022 and detailed by Redmond in a report released Friday.
Microsoft’s to write is notable for both the severity of the bug (9.8 out of 10) and the script modification – it tends to be the Project Zero team that points out bugs in Google, particularly Microsoft software.
at least as recently as 2010Google security researchers then made a habit of disclosing bugs in software from Microsoft and other vendors usually 90 days – even if the patch hasn’t been released – out of interest forcing companies to respond removes security flaws faster.
“Microsoft” criticized “Google” in this regard some times Over the years, even in 2011, Redmond has shown that it is willing to adapt to a year revised security disclosure policy It came with Chrome vulnerabilities, albeit months after Google fixed them.
Microsoft’s announcement of a critical flaw in ChromeOS isn’t zero days after Google made the necessary fixes. But it allows the Windows giant to pinpoint problems in a competitor’s hardened code and go after Google to quickly fix it.
Critical issue
ChromeOS Memory Corruption Vulnerability – CVE-2022-2587 – was particularly heavy. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explained in his post, the problem stems from the use of D-Bus, an Inter-Process Communication (IPC) mechanism used in Linux.
D-Bus service was called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals such as USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, takes a string argument named id as input. And the C code of the function calls strcpy in the standard library. yes, strcpythis is a dangerous function.
“To the seasoned security engineer, note strcpy function immediately raises red flags,” explains Jonathan Bar Or. “The strcpy function is known to cause various memory corruptions because it does not perform any bounds checking and is therefore considered unsafe.
“Before applying because there is no limit on the identity argument provided by the user strcpy (In addition to the default message length limits for D-Bus messages) we were confident that we could cause a stack-based buffer overflow, so we triggered a memory corruption vulnerability.”
A stack-based buffer overflow from the command line can be achieved by simply passing a 200-character string. dbus-send utility. And with a little more effort, it was determined that the song metadata was passed to the CRAS audio processing component. MediaSessionMetadataChanged method can trigger the error remotely via a browser or Bluetooth.
Bar Or allows that turning this bug into a remote code execution exploit would require stack maintenance and chaining with other vulnerabilities, but it’s dangerous enough to warrant Google’s swift response.
“We were impressed by the speed correction and overall process efficiency,” he said.
“The code was developed in less than a week, and after a few merges it was generally available to users. We thank the Google team and the Chromium community for their efforts in solving the problem.”
Bar Or already received recognition from Google’s Vulnerability Awards Program in June awarded him $25,000 for responsible disclosure of the error. ®
