The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, researchers say. The flaw has been fixed in the Chrome 85 stable channel, set to be rolled out to users this week.
The flaw (CVE-2020-6492) is a use-after-free vulnerability in the WebGL (Web Graphics Library) component of Chrome browser. This component is a Javascript API that lets users render 2D and 3D graphics within their browser. This specific flaw stems from the WebGL component failing to properly handle objects in memory.
“An adversary could manipulate the memory layout of the browser in a way that they could gain control of the use-after-free exploit, which could ultimately lead to arbitrary code execution,” according to Jon Munshaw with Cisco Talos in a Monday analysis.
The flaw ranks 8.3 out of 10 on the CVSS scale, making it a high-severity vulnerability. Researchers said this vulnerability specifically exists in ANGLE, a compatibility layer between OpenGL and Direct3D used on Windows by Chrome browser and other project.
According to the proof-of-concept (PoC) attack outlined by researchers, the issue exists in a function of ANGLE, called “State::syncTextures.” This function is responsible for checking if texture has any “DirtyBits.” These are “bitsets” indicating if a specific state value, associated with a block of computer memory, has been changed.
An attacker can execute vulnerable code via a function called drawArraysInstanced. When the texture object tries to syncState (via the “Texture::syncState function) it creates a use after free condition. Use after free stems from attempts to access memory after it has been freed, which can cause a program to crash or can potentially result in the execution of arbitrary code.
Threatpost has reached out to Cisco for further details of the flaw, including how a real-world attack scenario would play out.
The flaw, which was reported to Cisco May 19, impacts Google Chrome versions 81.0.4044.138 (Stable), 84.0.4136.5 (Dev) and 84.0.4143.7 (Canary). A fix became available via Google Chrome’s Beta channel release, but it has been officially rolled out to the Stable channel for version 85.0.4149.0 that will roll out on Monday. The stable channel is the Chrome version that users generally get; while the Beta channel allows specific users to preview upcoming Chrome features before they’re released and give Google feedback.
The bug comes after a vulnerability was found in Google’s Chromium-based browsers earlier in August, which could allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code. The bug (CVE-2020-6519) is found in Chrome, Opera and Edge, on Windows, Mac and Android – potentially affecting billions of web users, according to PerimeterX cybersecurity researcher Gal Weizman. Chrome versions 73 (March 2019) through 83 are affected (84 was released in July and fixes the issue).
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.