A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions.
The extension-related vulnerabilities, described by Google as “insufficient policy enforcement in extensions,” were discovered by researcher David Erceg in August. He identified three vulnerabilities of this type: CVE-2020-15961, a high-severity issue for which he received a $15,000 bug bounty; CVE-2020-15963, also a high-severity flaw, for which he earned $5,000; and CVE-2020-15966, which has been rated medium severity and for which the bug bounty has yet to be determined.
Erceg told SecurityWeek that the vulnerabilities he discovered all target a specific API made available to extensions — he has not named the impacted API due to the fact that Google hasn’t mentioned it either in its release notes.
Exploitation of all three flaws involves convincing the targeted user to install a malicious extension with some specific privileges.
“Two of the issues (the high severity issues) allow an extension to download and run an executable file. In both cases, no user interaction would be required after the extension install,” Erceg explained. “In a real world attack, those issues would allow an extension to run an executable outside of the browser's sandbox shortly after install (using the first issue, it could plausibly be done within a few seconds).”
He noted that the second high-severity vulnerability (CVE-2020-15963) can only be exploited to run an executable outside of the sandbox if certain conditions are met. If these conditions are not met, the attacker could still perform certain actions, such as accessing privileged pages or reading local files. Alternatively, an attacker could chain this flaw with another weakness to execute code outside of the sandbox.
The medium ..