Google's security team confirms the large increase in zero-day vulnerabilities in the Chromium codebase • by Claudio Garau • March 11, 2022
As admitted in the past few hours by the same components of the Mountain View Project Zero team, over the last few years the zero-day vulnerabilities to the detriment of the Chromium codebase would have multiplied, a situation of this kind could have repercussions on all browsers for Internet browsing that rely on it, starting with Google Chrome and Microsoft Edge. But what are the reasons for a figure that had never been as high as the current one? The Chrome Security team tried to answer this question by taking into account the period between 2019 and today, that is, the one during which the greatest number of zero-day vulnerabilities would have been observed. Google's answers One of the reasons should be sought in the greater transparency on the part of the vendors, essentially to increase not only the bugs but also the willingness on the part of the developers to confirm their existence. Secondly, the Chromium codebase would also be implemented taking into account the complexity of today's operating systems, platforms with particularly delicate features from the point of view of security such as those that allow access to the host terminal hardware. It should also be considered that the Chromium project is used for the development of a large number of more or less well-known browsers, this means that when the codebase is vulnerable, so are all the applications that rely on it. About this point it should be remembered that today malicious users can no longer exploit the problems of the Flash Player and this would have resulted in a greater number of attacks directed against browsers. The Big G spokespersons finally recalled that certain types of attacks that previously could be conducted using a single bug today require more bugs to be carried out. The bug chain Among the causes of this latter aspect there would be, for example, the Site isolation that allows you to load Internet content in browsers through processes separate from the rest of the system, a protection mode that cannot be circumvented through a single bug because it requires to trace the chain of vulnerabilities and to acquire elevated access privileges. In the vast majority of cases the exploited bugs have already been patched but would continue to be available through the repositories of the platforms hosting Open Source code, this would provide attackers with useful information to trace a zero day vulnerability. Source: Chromium Blog
google chrome