Google Chrome contains a vulnerability that could allow an attacker to silently execute remote code on a victim’s machine outside of the browser’s built-in sandbox protections.
According to Google, however, the issue is not technically a flaw, but rather a “strange behaviour” that would require substantial user manipulation to exploit.
The bug remains exploitable more than a month after it was reported by Slovenia-based Acros Security.
It could result in Chrome, under specific circumstances, loading an encryption configuration file from an insecure location, Acros Security cheif executive office Mitja Kolsek said.
This could allow an attacker to execute remote code on a victim’s machine outside of the Chrome sandbox, a function designed to protect sensitive resources from being accessed by malicious code.
The flaw involves an encryption configuration file called pkcs11.txt, which is loaded in Chrome by a browser-integrated Mozilla Network Security Services (NSS) library.
The same flaw might exist in other products that use NSS libraries, Kolsek said.
To exploit the bug in Chrome, an attacker would have to set up a network share and place a malicious pkcs11.txt file inside of it.
The adversary would then have to trick the user into opening or saving the nefarious file.
If a user was successfully duped, Chrome would automatically set the current working directory to an insecure location.
Successful exploitation was a complex scenario, and both Google and Acros researchers said the risk of exploitation is low.
Moreover, for the attack to work, Google must not be the default search engine within the browser.
Other search engines, such as Yahoo and Bing, do not send any HTTPS requests when Chrome is launched, and therefore allow the attack to be performed.
A user must also not have visited websites that send HTTPS requests prior to the attack.
Finally, Chrome’s current working directory must be set to an attacker-controlled location for the attack to work.
Google employees have notified Mozilla about the issue, a source close to Google said.
A fixed version of the Network Security Services code is expected to be integrated into Chrome in an upcoming version.