Microsoft discloses vulnerabilities in Chrome and Opera

Microsoft has issued two advisories on Chrome and Opera, detailing remote code execution and information disclosure vulnerabilities. The disclosure is the result of the Microsoft Vulnerability Research (MSVR) system going live, which is one of the core items within their Coordinated Vulnerability Disclosure (CVD) program.
On Tuesday, Microsoft issued an MSRV Advisory related to use-after-free memory errors in Google’s Chrome, which, if exploited, would have triggered a crash and allowed remote code execution in the browsers sandbox.

“When attempting to parse specially crafted Web content, Google Chrome references memory that has been freed. An attacker could exploit the vulnerability to cause the browser to become unresponsive and/or exit unexpectedly, allowing an attacker to run arbitrary code within the Google Chrome Sandbox,” the advisory explains.

Google has addressed the issue in a patch delivered last September. Versions 6.0.472.59 and earlier of the browser were affected. The vulnerability was discovered by Microsoft’s David Weston, who was paid a $500 USD bounty for his efforts by Google.

The second MSVR Advisory centers on information disclosure issues within Opera and Chrome, due to how they deal with HTML 5. According to Microsoft, while browsing certain Web sites, Google Chrome and Opera may not validate the origin of specific canvas elements. According to the W3C, “leakage can occur if scripts from one origin can access information from another origin.”

“An attacker in possession of the IP address of a network resource could exploit the vulnerability to obtain private information stored on the network resource... Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but the attacker could use the information gained to try to further compromise the affected system,” Microsoft explained.

Google issued a fix in December, and Opera patched the problem with the 10.63 release of their browser. While not paid a bounty, Microsoft’s Nirankush Panchbhai was given credit by Opera and Google for the discovery.

“It's a positive trend to see software companies performing vulnerability research on other vendor's products,” commented Chris Wysopal, Co-Founder and CTO of Veracode, in a statement.

“When the research is disclosed in a way that doesn't amplify the harm the vulnerability may have already created we will see a positive effect on the security of the community at large.”

Microsoft announced the CVD program last July. It’s a renaming of the principal of responsible disclosure, where a researcher attempts to work with a vendor to fix flaws before reporting them to the public. The program is a way to shift researchers away from full disclosure, where unpatched vulnerabilities are disclosed to the public and the vendor at the same, assuming the vendor is told at all.

Most researchers opt for responsible disclosure, and will only report vulnerabilities to the public if the vendor is unresponsive or there are active attacks on the vulnerability itself. Microsoft will do the same thing.
“Unfortunately, sometimes a vulnerability becomes publicly known or is exploited before a vendor-supplied remediation is available. In this case, Microsoft makes reasonable efforts to coordinate with the affected vendor to release an MSVR Advisory that includes potential mitigations and workarounds,” the company explains in an overview of the CVD process.

“This provides users with information and possible actions to protect themselves against an active vulnerability until the vendor supplies their remediation… In the event of public attacks, Microsoft may also work with its partners to provide protection if a vendor-supplied remediation is not available.”

More information on the MSVR Advisories can be found here. If you want to read the CVD policy, you can download that from the MSRC here.

News Source : http://www.thetechherald.com

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.