Security researchers have reported that two critical use-after-free (UAF) vulnerabilities in Google Chrome’s Browser process were actively exploited in the wild, putting users at risk of potential sandbox escapes and arbitrary code execution.
However, the implementation of the MiraclePtr defense mechanism by Google has effectively prevented these vulnerabilities from being exploited, marking a significant advancement in browser security.
The vulnerabilities, as detailed in the official report from SSD Labs, were present in Chrome versions 133.0.6835.0 to 135.0.7016.0. The bugs stemmed from the mishandling of callbacks bound to raw pointers and WeakPtr, particularly within the synchronization services.
For instance, the vulnerability could be triggered in the code snippet from components/sync/service/sync_service_impl.cc, where the destruction of the callback’s instance while the task is still executing leads to a UAF condition.
The mechanism behind this vulnerability involves hidden reference counters that increase each time a pointer is allocated. Only when all references are gone is the memory actually freed, and an attempt to use a freed pointer results in an intentional crash, not code execution.
Demonstrations have revealed that opening certain Chrome pages and quickly closing the associated window could exploit the vulnerable code paths, causing a crash and potential exploitation. However, with MiraclePtr in place, these attempts only result in a crash without compromising security.
The prompt identification and mitigation of these UAF vulnerabilities, thanks to Chrome’s proactive defense measures, emphasize the ongoing arms race in browser security. Despite being actively exploited in the wild, the utilization of MiraclePtr has effectively thwarted these attacks for the time being.
Security experts advise all Chrome users to ensure their browsers are up to date to safeguard against similar threats. The continuous enhancement of MiraclePtr technology underscores Google’s dedication to shielding its extensive user base from even the most sophisticated cyber attacks.