Security researchers expose another instance of Chrome patch gapping

Security bug patched in Chrome's V8 JavaScript engine, but the fix will only reach Chrome tomorrow.

Security researchers have found another instance of "patch gapping" in the Google Chrome browser that could have been abused by hackers to develop exploits and launch attacks against Chrome users days before a patch would have been readily available for everyone.

What is "patch gapping?"

"Patch gapping" is a relatively new technical term that is used to describe gaps in the patching process of software that relies on open-source components.

The "gap" refers to the time between a security flaw is fixed in an open-source component and until the patch reaches the main software.

Researchers argue that attackers can keep an eye out for bugfixes in open-source components and leverage the patch gap to launch attacks against more popular software that did not get to roll out a fix as they're still testing the patch.

This is exactly what happened last month to Google Chrome, today's most popular web browser, used by more than one billion users.

Chrome's latest patch gap

While patch gaps happen all the time, not all software fixes can be manipulated in a way that's useful for developing weaponized exploits. "Weaponizable" bugs are rare, and not all of them happen to be in Chrome's open-source components.

However, in a report published today, István Kurucsai, a security researcher for Exodus Intelligence, said he found one in V8, the open-source component used as Chrome's JavaScript engine.

The bug was both critical and widespread through the Chrome codebase; enough to be useful to develop an exploit that could allow attackers to execute malicious code inside users' browsers.

The "patch gap" occurred because the V8 bug (tracked as #992914) was patched in August, but the fix for Chrome users is scheduled to go live tomorrow, on September 10, with the release of Chrome 77.

Kurucsai argues that threat actors had weeks to scour the V8 changelog for security fixes and then develop exploits that could have been used against Chrome.

Proof-of-concept code available on GitHub

Developing Chrome exploits is no trivial task, but a JavaScript-learned attacker could have done it. To prove that this was possible, Kurucsai released proof-of-concept code on GitHub that leveraged the original V8 bug to run malicious code inside Chrome.

This proof-of-concept code isn't fully weaponized since attackers need to use a second bug to escape the Chrome sandbox (protected environment). However this is not really an issue. Attackers could have used older Chrome sandbox escape bugs and combined the two bugs (V8 + sandbox escape) to attack users running older versions of Chrome, where both bugs are still unfixed. With a userbase of over one billion, even attacking older Chrome versions leaves attackers with a target base of tens of millions of vulnerable users for the picking.

Kurucsai hopes that companies take note of this new attack vector and take steps to minimize their patch gaps accordingly.

This is the second patch gap that Kurucsai discovered in Chrome's software supply chain. He found a first one in April, which also left Chrome users open to attacks for weeks.