Google awards Microsoft experts for discovered Chrome vulnerabilities


Security researchers at Microsoft revealed information about a critical vulnerability in the Google Chrome browser which allows attackers to remotely execute code on victim’s computer.

The Microsoft Offensive Security Research (OSR) team has analyzed Chrome V8 JavaScript engine using the ExprGen software which had been developed by Microsoft in order to test company’s own JavaSript engine named Chakra. The researchers found a critical vulnerability leading to data leakage and allowing remote code execution during rendering processes in Chrome browser.

Chrome browser uses sandbox mode to ensure that web applications run in a limited environment. It means that there is another not yet known vulnerability which allows to bypass the sandbox.

Microsoft researchers wanted to determine how far they could go without discoving the second vulnerability. They found that remote code execution during rendering process can be used to bypass the Single Origin Policy (SOP), which stops a malicious scripts which could infect one of website pages from getting access to important data on other website pages.

Once SOP bypassed, attacker can steal a stored password on any website, infiltrate a malicious JavaScript script using universal cross-site scripting (UXSS) and seamlessly login into any website by replacing the user’s indetity.

Google experts have already fixed the CVE-2017-5121 vulnerability CVE-2017-5121 in the new Chrome 61 version. Google awarded Microsoft security researchers with a $7,500 bug bounty for reporting about this vulnerability. Along with other bugs Microsoft team reported to Google, the total bounty amount was $15,837.


Please enter your comment!
Please enter your name here