A Google published Chrome 85 update this week patches many high-severity bugs, including those that can be abused by compelling them to install malicious plugins to hack users.
Researcher David Erceg found the extension-related vulnerabilities, identified by Google as “insufficient policy compliance in extensions,” in August. Three bugs of this kind were identified: CVE-2020-15961, a high-severity vulnerability for which he won a $15,000 bug bounty; CVE-2020-15963, also a high-severity vulnerability for which he obtained $5,000; and CVE-2020-15966, which has been rated medium severity and has yet to be decided for the bug bounty.
Erceg told that due to the fact that Google has not listed it in its release notes, he has not called the affected API because the bugs he identified all threaten a similar API made accessible to extensions.
Exploitation of these three vulnerabilities requires inducing the intended user of some special rights to mount a malicious extension.
Two of the problems (high severity issues) cause an extension to download an executable file and execute it. In both instances, there will be no need for user contact after downloading the extension, Erceg explained. “In a real world assault, those problems would cause an extension to run an executable outside of the browser’s sandbox shortly after instal (using the first issue, it could plausibly be achieved within a few seconds).”
He noted that it is only feasible to exploit the second high-severity vulnerability (CVE-2020-15963) to run an executable outside the sandbox if certain requirements are met. The attacker may also execute such actions, such as accessing restricted pages or reading local data, if certain requirements are not met. Alternatively, in order to execute code outside the sandbox, an attacker might chain this fault with another flaw.
The medium-severity query, the researcher says, can be abused by a malicious extension to read local file material that an extension is not usually permitted to do without express permission from the user.
The Chrome 85 update that fixes these vulnerabilities also solves an out-of-bounds read storage problem for which an anonymous hacker received $15,000, and an ineffective policy compliance problem for which 360 Alpha Lab won $10,000 from researchers Leecraso and Guang Gong.
Earlier this month, Leecraso and Guang Gong won a $20,000 bug bounty from Google for discovering a flaw of high severity that can be abused to escape from the Chrome sandbox.