The cost of zero-day exploits has always been high, especially if they allow an attacker to remotely execute code on a host machine. But why pay hundreds of thousands of dollars for a 0-day when a relatively simple drive-by attack doesn’t need one and can achieve much the same result? That’s what interested an Imperva security researcher who has published a report on new drive-by attack using something called the Evil Code Editor. Here’s what you need to know.
“A remote code execution chain in Google Chrome, which allows an attacker to execute code on the host machine, can cost anywhere from $250,000 to $500,000,” Ron Masas, a security researcher at Imperva, said in a November 7th report. With that kind of spending power reserved mostly for spy agencies and state-sponsored attackers, Masas pondered, where does that leave the “average script kiddie” who was using similar methods years ago? Java drive-by downloads were relatively commonplace back in 2008, when Masas started his coding security career, using small Java applets embedded into web pages. Fast forward to 2022 and Masas started exploring the file system API which enables websites to read and write certain files as selected by the user. “With some notable exceptions,” Masas noted, “being what Chrome considers to be system files.”[1]
Affecting all Chromium-based web browsers, Masas said that the API bypasses both Windows and macOS security mechanisms, although the report specifically focuses on macOS. Gatekeeper on macOS is a security feature that prevents users from running untrusted software, and macOS has an additional app sandbox that limits app access to system resources and data. “The Chrome browser does not use this sandboxing feature,” Masas said, “which is another reason the File System Access API can be so dangerous.” If a user is interacting with the File System Access API on a website they will be prompted to approve write access, get this wrong and, Masus pointed out, “all previous security boundaries are bypassed.“
So, what about the com.apple.quarantine attribute, added by the API, which flags the file as not trustworthy as downloaded from the internet? “A limitation of macOS Gatekeeper,” Masus said, is that “it does not recheck this binary when executed by another application, which in our case is Google Chrome itself.”
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.forbes.com/sites/daveywinder/2024/11/12/google-chrome-warning-new-drive-by-cyber-attack-no-0-day-needed/
Comments