Regístrese ahora para una mejor cotización personalizada!

Microsoft: How we unearthed a critical flaw in ChromeOS, and how Google fixed it

Ago, 22, 2022 Hi-network.com
Image: Amazon

ChromeOS is considered secure compared to legacy Windows and MacOS, but Microsoft recently discovered a nasty, remotely exploitable bug in ChromeOS's audio server with a severity score of 9.8 out of 10. 

ChromeOS is Google's proprietary OS based on the open-source ChromiumOS, which itself is underpinned by Linux.   

Microsoft security researcher Jonathan Bar Or found the bug in the ChromiumOS Audio Server (CRAS), a service that routes audio to peripherals such as USB speakers and Bluetooth headsets.

More on tech security: The next challenges

  • These are the biggest cybersecurity threats. Make sure you aren't ignoring them
  • Ransomware: Why it's still a big threat, and where the gangs are going next
  • These are the cybersecurity threats of tomorrow that you should be thinking about today
  • What, exactly, is cybersecurity? And why does it matter?
  • The 7 best cybersecurity certifications: Become a security expert
  • Best cybersecurity schools and programs

Or found a local memory corruption issue that could be remotely triggered by manipulating audio metadata, either in the browser or via Bluetooth. 

SEE: The 7 best cybersecurity certifications: Become a security expert

"Attackers could have lured users into meeting these conditions, such as by simply playing a new song in a browser or from a paired Bluetooth device, or leveraged adversary-in-the-middle (AiTM) capabilities to exploit the vulnerability remotely," he explains in a blogpost. 

Microsoft reported the issue to Google in April. Google assigned the bug CVE-2022-2587 and released a patch in mid-June, but was already working on fixes within a week of it being reported. Google described it as a high-severity flaw due to an out-of-bounds write in CRAS.   

Or scoped out ChromeOS in search of similar issues to the D-Bus bugs he had turned up when analyzing Linux earlier this year.

ChromeOS, being based on Linux, could also be vulnerable to similar bugs. But, he notes, ChromeOS typically requires an attacker to chain together multiple vulnerabilities due to Google's proprietary hardening measures. Hence, there are fewer discovered flaws than in Windows or MacOS. 

The audio server bug was a ChromeOS-specific memory-corruption vulnerability, which Or found after inspecting the handling function calledSetPlayerIdentity,which called the C library function "strcpy".

SEE: Don't let your cloud cybersecurity choices leave the door open for hackers

"To the experienced security engineer, the mention of the strcpy function immediately raises red flags," notes Or. 

"The strcpy function is known to cause various memory corruption vulnerabilities since it doesn't perform any bounds check and is therefore considered unsafe. As there are no bounds checks on the user-supplied identity argument before invoking strcpy (besides the default message length limitations for D-Bus messages), we were confident we could trigger a heap-based buffer overflow, therefore triggering a memory corruption vulnerability."

Heap-based buffer overflows can lead to arbitrary code execution, but to make the attack more dangerous, he needed a way to trigger it remotely, which he found could be done changing audio metadata. This can be achieved through the browser when a new song is played, or via Bluetooth when playing a new song from a paired Bluetooth device. The actual vulnerable function is cras_bt_player_update_identity.

Or commended Google for its speed in fixing the issue after it was reported. He notes that ,while it not easy to exploit, its impact on a ChromeOS device -that could include old Macs and PCs, thanks to Google's ChromeOS Flex -warranted such a response from Google.

"We were impressed with the speed of the fix and the effectiveness of the overall process. Within less than a week, the code was committed and, after several merges, made generally available to users. We thank the Google team and the Chromium community for their efforts in addressing the issue," writes Or.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Etiquetas calientes: tecnología seguridad

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.