Security researchers at Microsoft revealed information about a critical vulnerability in the Google Chrome browser which allows attackers to remotely execute code on victim’s computer.
Chrome browser uses sandbox mode to ensure that web applications run in a limited environment. It means that there is another not yet known vulnerability which allows to bypass the sandbox.
Microsoft researchers wanted to determine how far they could go without discoving the second vulnerability. They found that remote code execution during rendering process can be used to bypass the Single Origin Policy (SOP), which stops a malicious scripts which could infect one of website pages from getting access to important data on other website pages.
Google experts have already fixed the CVE-2017-5121 vulnerability CVE-2017-5121 in the new Chrome 61 version. Google awarded Microsoft security researchers with a $7,500 bug bounty for reporting about this vulnerability. Along with other bugs Microsoft team reported to Google, the total bounty amount was $15,837.