Researchers discovered two critical UAF vulnerabilities in Chrome, actively exploited in the wild, but Google’s MiraclePtr defense has now blocked them, strengthening browser security.
All about the Chrome UAF vulnerability
SSD Labs’ official report states that the vulnerabilities affected Chrome versions 133.0.6835.0 to 135.0.7016.0.
The issues stemmed from improper handling of callbacks tied to raw pointers and WeakPtr, particularly in synchronization services.
Here’s an example from components/sync/service/sync_service_impl.cc:
void SyncServiceImpl::GetLocalDataDescriptions(… DataTypeSet types,
base::OnceCallback<void(std::map<DataType, LocalDataDescription>)> callback) {base::SequencedTaskRunner::GetCurrentDefault()->PostTask(
FROM_HERE,
base::BindOnce(&SyncServiceImpl::GetLocalDataDescriptionsImpl,
weak_factory_.GetWeakPtr(), types, std::move(callback)));}
he vulnerability occurs when a callback’s instance is destroyed while a task is still running, leading to a Use-After-Free (UAF) condition.
How It Works:
- Each pointer has a hidden reference counter.
- Memory is only freed when all references to an object are gone.
- Using a freed pointer causes a crash, not code execution.
Proof of Concept and Exploit Attempts
Demonstrations showed that opening certain Chrome pages and quickly closing the window could trigger the vulnerability, leading to a crash and potential exploit.
However, with MiraclePtr enabled, these actions now only cause a crash, preventing further security risks.
The quick identification and mitigation of these vulnerabilities by Chrome highlight the ongoing evolution of browser security.
Even though the vulnerabilities were actively exploited in the wild, MiraclePtr has effectively blocked this attack vector.
Experts advise Chrome users to update their browsers to stay secure against similar threats. Google continues to improve MiraclePtr, reinforcing its commitment to protecting users from sophisticated attacks.
Leave A Comment