|
|
|
|
|
|
by hedora
2250 days ago
|
|
|
Windows has an incredibly complicated set of token based authentication mechanisms that Chrome relies on. They interact with each other in non-trivial ways and were introduced piecemeal over a few decades. It is so complicated that even the people maintaining it don’t understand it, and they accidentally added a privilege escalation path. The author uses that to use a Chrome sandbox bug to escape from the sandbox. The real WTF is the complexity and obscurity of the security primitives being exported from the kernel. Arguably, all major operating systems have the same issue, and are getting worse over time — I doubt anyone understands all of the layers of privilege checking mechanisms that have been bolted on to Linux, Windows or Mac OS over the years. |
|
|