For once, a Google Project Zero bug report to Microsoft has resulted in a fix without a public spat. Indeed, this fix happened without any public announcement at all.
Back in 2014, Project Zero’s James Forshaw told Redmond he’d found a Windows Kernel Object Manager bug that permitted a “limited bypass of traverse permissions” – because it enabled a Chrome sandbox escape.
The problem was in how the SeFastTraverseCheck method’s behaviour, and Forshaw originally said he didn’t “really expect this will be considered a bulletin class issue, if it’s considered an issue at all”.
He was right: a year later, he opened the post because Redmond put it in the “won’t fix” basket – but sometime since 2015, a fix happened, which Forshaw notes explains what he first saw.
It turns out the bug was in another component, SeCreateAccessState:
“SeFastTraverseCheck is doing a check for the TOKEN_IS_RESTRICTED flag and failing early (which would lead to a bypass of traversal privileges for Chrome etc.) however SeCreateAccessState was never setting that flag in the ACCESS_STATE Flags member which means that the check was bypassed.”
The fix would have passed entirely without notice, had Foreshaw been able to resist taking a dig at Microsoft:
Got to love silent fixes (https://t.co/A1dzgYzuwQ). This corrects a long standing issue for Chrome’s sandbox. Any comment @msftsecresponse?
— James Forshaw (@tiraniddo) November 30, 2016
His post on the Chrome blog nails the fix as necessary as far back as November 2015, Windows 10 build 10586. ®
