New instance of Chrome patch gapping reported

• A new instance of patch gapping in Google Chrome has been reported by an Exodus Intelligence researcher, István Kurucsai.
• A recent patch for Chrome’s V8 JavaScript engine bug was developed in August but will reach users only on September 10.

What is patch gapping?

Patch gap describes the time window between the fix of a security bug and its availability to the users. This time window can be leveraged by hackers who closely follow security patches and attack systems before the patch is made public.

The time period between the fix and release of the fix may even extend to months, and this is causing increased concern in the security world.

Details about Chrome’s patch gap

Although patch gaps occur frequently, ones that can actually be misused by attackers aren’t many. However, the latest instance of the patch gap by Chrome opens up opportunities for hackers to develop an exploit and execute malicious code on users’ browsers.

• The V8 bug, whose fix caused a patch gap we’re discussing, is said to be critical.
• Tracked as #992914, the patch for this bug was made in August but scheduled to go live along with the release of Chrome 77 on September 10.
• Cyber attackers had sufficient time to analyze Chrome fixes, and develop an exploit to make use of the patch gap.

This patch gap was exposed by István Kurucsai, a security researcher at Exodus Intelligence.

Exploiting this patch gap

Although developing exploits for Chrome is not easy, an attacker with a strong background in JavaScript could do it.

• To emphasize the possibility of the exploit, Kurucsai released proof of concept code on GitHub
• This exhibits how attackers can make use of the V8 bug to run malicious code in Google Chrome.

This code isn’t fully effective as attackers need to exploit another vulnerability to escape the Chrome sandbox. However, hackers could still target older versions of Chrome where both the bugs aren’t fixed.

What can you do?

The exploit does not exhibit any unusual behavior and so detecting malicious code is quite difficult. It is recommended to disable JavaScript execution in Chrome settings as a temporary mitigation measure until the vulnerability is completely patched by Google.