The vulnerabilities, identified by SSD Labs Korea, targeted the browser process—a frequent vector for attackers seeking to break out of Chrome’s security sandbox and execute arbitrary code.
Use-after-free (UAF) bugs occur when a program continues to use a pointer to memory after it has been freed.
In the context of browsers like Chrome, UAF vulnerabilities are particularly dangerous.
They can allow attackers to corrupt memory, hijack control flow, and ultimately execute code outside the browser’s sandbox, bypassing vital security boundaries.
The two vulnerabilities disclosed centered around Chrome’s password manager and sync features. Both involved asynchronous callbacks in the SyncServiceImpl SyncHandler classes, where raw pointers were used in a way that could result in accessing freed memory if certain objects were destroyed during task execution.
In the past, such flaws would have been prime targets for exploitation using heap spraying and vTable corruption techniques, enabling attackers to achieve code execution with elevated privileges.
MiraclePtr is Chrome’s innovative response to the persistent threat of UAF exploits.
At its core, MiraclePtr leverages a reference-counting mitigation technique called BackupRefPtr (BRP), tightly integrated with Chrome’s custom heap allocator, PartitionAlloc.
Key technical features include:
delete or free It is called the memory is not immediately reclaimed. Instead, the object is moved to a quarantine area, making it unavailable for reallocation.0xcc). This ensures that any accidental or malicious access results in a crash, not code execution.BackupRefPtr template class ensures that memory is only actually freed when the last reference is destroyed, preventing dangling pointers.Pseudo-code from the MiraclePtr implementation illustrates this process:
cppvoid* Alloc(size_t size) {
void* ptr = ActuallyAlloc(size);
if (isSupportedAllocation(ptr)) {
int& ref_count = *(cast<int*>(ptr) - 1);
ref_count = 1;
}
return ptr;
}
void Free(void* ptr) {
if (isSupportedAllocation(ptr)) {
atomic_int& ref_count = *(cast<atomic_int*>(ptr) - 1);
if (ref_count != 1)
memset(ptr, 0xcc, getAllocationSize(ptr));
if (--ref_count != 0)
return;
}
ActuallyFree(ptr);
}
The two UAF vulnerabilities uncovered by SSD Labs Korea were demonstrated using proof-of-concept attacks that previously would have allowed attackers to trigger a crash and potentially execute code by corrupting the vTable of a freed object.
However, with MiraclePtr fully enabled, these attacks are rendered non-exploitable.
The reference counting and memory quarantine mechanisms ensure that even if an attacker tries to reclaim and manipulate freed memory, the result is at most a crash, never successful code execution.
MiraclePtr represents a major leap forward in defending against a class of vulnerabilities that has long plagued browsers.
By combining reference counting, custom heap management, and aggressive memory quarantine, Chrome now offers robust protection against UAF-based sandbox escapes.
As MiraclePtr becomes standard across browser components, the window for attackers to exploit these critical flaws is rapidly closing, setting a new benchmark for browser security.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Chrome Under Attack: UAF Process Flaws Exploited in Active Campaigns appeared first on Cyber Security News.
Jim Jarmusch—the director of Stranger Than Paradise, Down by Law, and Dead Man—recently stepped into…
A North Korea-linked hacking group known as WaterPlum has introduced a dangerous new malware called…
A critical security flaw in Microsoft SharePoint has been identified as actively exploited, and on…
A dangerous new malware implant called SnappyClient has quietly emerged as a serious threat to…
High-quality visuals are essential for capturing attention online. Whether for social media, blog posts, or…
Why your stalled AI pilots are the most valuable thing in your transformation program While…
This website uses cookies.