Google Chrome web browser provided another security enhancement
Google has released the 47th version of its popular Chrome web browser. In addition to fixing a large number of vulnerabilities in the web browser, a new feature has been added for it, which has already been implemented in the beta version. We wrote about it in March of this year. This is a ban on the use of the win32k.sys driver in Chrome sandboxed processes. Then she was in test mode and was present only in the beta version.
A new setting has been added to the new version of the web browser called “ Use Win32k closed environment for PPAPI Windows plug-ins ”, which allows you to specify plug-ins appropriate to the special control. This is primarily about the Flash Player and PDF Reader plugins, exploits for which are not uncommon. With the setting set, for Chrome sandboxed processes, in contexts of which these players are launched, a ban on the use of win32k.sys will be enabled.
The setting can be found on the Chrome flags tab at chrome: // flags / # enable-ppapi-win32k-lockdown. Initially, it is set to the “default” value, which may mean its activity for all launched sandboxed tabs. The following values are present as values: Disabled, Flash Only, PDF Only, Flash and PDF, All Plugins. Since attackers often use content for third-party plug-ins to exploit vulnerabilities, they were rendered as separate items on the list.
')
The vulnerabilities of the win32k.sys driver are used by attackers to gain maximum SYSTEM rights in the system, which, together with the RCE vulnerability in the web browser, allows you to gain complete control over the user's system through the web browser by running the executable code of the attackers in the system. Having obtained such rights, the attackers can run the kernel mode code in the system, obtaining maximum capabilities in the compromised system. The cost of such an exploit for Chrome can exceed $ 100k.
Disabling the use of the win32k.sys driver for sandboxed processes is another significant measure to ensure user safety from destructive actions of exploits.
A new setting has been added to the new version of the web browser called “ Use Win32k closed environment for PPAPI Windows plug-ins ”, which allows you to specify plug-ins appropriate to the special control. This is primarily about the Flash Player and PDF Reader plugins, exploits for which are not uncommon. With the setting set, for Chrome sandboxed processes, in contexts of which these players are launched, a ban on the use of win32k.sys will be enabled.
The setting can be found on the Chrome flags tab at chrome: // flags / # enable-ppapi-win32k-lockdown. Initially, it is set to the “default” value, which may mean its activity for all launched sandboxed tabs. The following values are present as values: Disabled, Flash Only, PDF Only, Flash and PDF, All Plugins. Since attackers often use content for third-party plug-ins to exploit vulnerabilities, they were rendered as separate items on the list.
')
The vulnerabilities of the win32k.sys driver are used by attackers to gain maximum SYSTEM rights in the system, which, together with the RCE vulnerability in the web browser, allows you to gain complete control over the user's system through the web browser by running the executable code of the attackers in the system. Having obtained such rights, the attackers can run the kernel mode code in the system, obtaining maximum capabilities in the compromised system. The cost of such an exploit for Chrome can exceed $ 100k.
Disabling the use of the win32k.sys driver for sandboxed processes is another significant measure to ensure user safety from destructive actions of exploits.
Source: https://habr.com/ru/post/272223/
All Articles