New instance of Chrome patch gapping reported
- A new instance of patch gapping in Google Chrome has been reported by an Exodus Intelligence researcher, István Kurucsai.
What is patch gapping?
Patch gap describes the time window between the fix of a security bug and its availability to the users. This time window can be leveraged by hackers who closely follow security patches and attack systems before the patch is made public.
The time period between the fix and release of the fix may even extend to months, and this is causing increased concern in the security world.
Details about Chrome’s patch gap
Although patch gaps occur frequently, ones that can actually be misused by attackers aren’t many. However, the latest instance of the patch gap by Chrome opens up opportunities for hackers to develop an exploit and execute malicious code on users’ browsers.
- The V8 bug, whose fix caused a patch gap we’re discussing, is said to be critical.
- Tracked as #992914, the patch for this bug was made in August but scheduled to go live along with the release of Chrome 77 on September 10.
- Cyber attackers had sufficient time to analyze Chrome fixes, and develop an exploit to make use of the patch gap.
This patch gap was exposed by István Kurucsai, a security researcher at Exodus Intelligence.
Exploiting this patch gap
- To emphasize the possibility of the exploit, Kurucsai released proof of concept code on GitHub
- This exhibits how attackers can make use of the V8 bug to run malicious code in Google Chrome.
This code isn’t fully effective as attackers need to exploit another vulnerability to escape the Chrome sandbox. However, hackers could still target older versions of Chrome where both the bugs aren’t fixed.
What can you do?