Chrome UAF Process Vulnerabilities Actively Exploited

Security researchers have revealed that two critical use-after-free (UAF) vulnerabilities in Google Chrome’s Browser process were actively exploited in the wild, exposing users to potential sandbox escapes and arbitrary code execution.

However, Google’s deployment of the MiraclePtr defense mechanism ensures these flaws are no longer exploitable, marking a significant milestone in browser security.

Technical Analysis and Vulnerability Details

According to the official report from SSD Labs, the vulnerabilities resided in Chrome versions 133.0.6835.0 to 135.0.7016.0.

The bugs originated from the improper handling of callbacks bound to raw pointers and WeakPtr, specifically within the synchronisation services.

Consider the following example from components/sync/service/sync_service_impl.cc:

void SyncServiceImpl::GetLocalDataDescriptions(... DataTypeSet types,

    base::OnceCallback<void(std::map<DataType, LocalDataDescription>)> callback) {

  base::SequencedTaskRunner::GetCurrentDefault()->PostTask(

      FROM_HERE,

      base::BindOnce(&SyncServiceImpl::GetLocalDataDescriptionsImpl,

                     weak_factory_.GetWeakPtr(), types, std::move(callback)));

}

The vulnerability is triggered if the bound callback’s instance is destroyed while the posted task is still executing, resulting in a UAF condition.

How It Works:

• Each pointer increases a hidden reference counter when allocated.
• When an object is no longer needed, only if all references are gone is the memory actually freed.
• Attempted use of a freed pointer triggers an intentional crash, not code execution.

Proofs of Concept and Exploit Attempts

Demonstrations showed that opening certain Chrome pages and quickly closing the associated window could trigger the vulnerable code paths, previously leading to a crash and possible exploitation.

However, with MiraclePtr enabled, these attempts only cause a crash, not a security breach.

The rapid discovery and containment of these UAF vulnerabilities, thanks to Chrome’s proactive mitigation, highlight the evolving arms race in browser security.

While the vulnerabilities were technically “actively exploited in the wild,” Chrome’s MiraclePtr has effectively closed off this attack vector for now.

Security experts urge all Chrome users to ensure their browsers are updated to stay protected against similar threats. 

The ongoing rollout and improvements to MiraclePtr technology underline Google’s commitment to defending its vast user base against even the most sophisticated attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!