Google publishes exploit code threatening millions of Chromium users
Google publishes exploit code threatening millions of Chromium users
谷歌发布漏洞利用代码,威胁数百万 Chromium 用户
Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. 谷歌周三发布了一段针对其 Chromium 浏览器代码库中未修复漏洞的利用代码,该漏洞威胁着数百万使用 Chrome、Microsoft Edge 以及几乎所有其他基于 Chromium 的浏览器的用户。
The proof-of-concept code exploits the Browser Fetch programming interface, a standard that allows long videos and other large files to be downloaded in the background. An attacker can use the exploit to create a connection for monitoring some aspects of a user’s browser usage and as a proxy for viewing sites and launching denial-of-service attacks. Depending on the browser, the connections either reopen or remain open even after it or the device running it has rebooted. 该概念验证代码利用了“浏览器获取”(Browser Fetch)编程接口,这是一项允许在后台下载长视频和其他大文件的标准。攻击者可以利用该漏洞建立连接,以监控用户浏览器使用情况的某些方面,并将其作为代理来访问网站或发起拒绝服务攻击。根据浏览器的不同,这些连接在浏览器或运行它的设备重启后,要么会重新打开,要么会保持开启状态。
Unfixed for 29 months (and counting)
29 个月(且仍在持续)未修复
The unfixed vulnerability can be exploited by any website a user visits. In effect, a compromise amounts to a limited backdoor that makes a device part of a limited botnet. The capabilities are limited to the same things a browser can do, such as visit malicious sites, provide anonymous proxy browsing by others, enable proxied DDoS attacks, and monitor user activity. Nonetheless, the exploit could allow an attacker to wrangle thousands, possibly millions, of devices into a network. Once a separate vulnerability becomes available, the attacker could use it to then compromise all those devices. 任何用户访问的网站都可以利用这个未修复的漏洞。实际上,这种入侵相当于一个有限的后门,使设备成为小型僵尸网络的一部分。其能力仅限于浏览器能做的事情,例如访问恶意网站、为他人提供匿名代理浏览、启用代理 DDoS 攻击以及监控用户活动。尽管如此,该漏洞仍可能允许攻击者将成千上万甚至数百万台设备纳入一个网络。一旦出现另一个独立的漏洞,攻击者就可以利用它来进一步入侵所有这些设备。
“The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out,” said Lyra Rebane, the independent researcher who discovered the vulnerability and privately reported it to Google in late 2022 in an interview. She said using the exploit code Google prematurely published would be “pretty easy,” although scaling it to wrangle large numbers of devices into a single network would require more work. “这里危险的地方在于,你可以将许多不同的浏览器汇集在一起,未来当你研究出某种方法时,就可以在这些浏览器上运行某些东西,”发现该漏洞并于 2022 年底私下向谷歌报告的独立研究员 Lyra Rebane 在采访中说道。她表示,使用谷歌过早发布的利用代码会“非常容易”,尽管要将其扩展到将大量设备纳入单一网络还需要更多的工作。
In the thread of Rebane’s disclosure to Google, two developers said in separate responses that it was a “serious vulnerability.” Its severity was rated S1, the second-highest classification. Since its reporting 29 months ago, the vulnerability remained unknown except to Chromium developers. Then on Wednesday morning, it was published to the Chromium bug tracker. Rebane initially assumed the vulnerability was finally fixed. Shortly thereafter, she learned that, in fact, it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code. Google representatives didn’t immediately respond to an email asking how and why it published the vulnerability and if or when a fix would become available. 在 Rebane 向谷歌披露漏洞的讨论串中,两名开发人员分别回复称这是一个“严重漏洞”。其严重程度被评为 S1,即第二高等级。自 29 个月前报告以来,除 Chromium 开发人员外,该漏洞一直不为人知。直到周三上午,它被发布到了 Chromium 的漏洞追踪系统中。Rebane 最初以为该漏洞终于被修复了。但不久之后,她得知事实上它仍未打补丁。虽然谷歌删除了该帖子,但它以及利用代码仍然可以在存档网站上找到。谷歌代表没有立即回复询问其如何以及为何发布该漏洞,以及何时会提供修复程序的电子邮件。
Long delays are common
长期延误是常态
Rebane said she has reported multiple other Chrome or Chromium vulnerabilities that have resulted in patches. She said long delays in fixing them are common, although this instance was the longest. “I think what happened is sort of nonstandard in that it does not get past any defined security boundaries,” she said. “So this does not let an attacker, for example, access your emails or your computer or something like that. I guess that led to [Google’s] own people getting assigned, or the people who were assigned not understanding it, and then that’s how it took such a long time.” Rebane 表示,她曾报告过其他多个 Chrome 或 Chromium 漏洞并最终获得了修复。她说,修复过程中的长期延误很常见,尽管这次是时间最长的一次。“我认为发生的事情有点不规范,因为它没有突破任何既定的安全边界,”她说。“所以这不会让攻击者访问你的电子邮件或电脑之类的东西。我猜这导致了(谷歌)内部人员被指派处理,或者被指派的人不理解它,这就是为什么花了这么长时间。”
By exploiting the browser fetch API, the code opens a service worker that remains persistently active. The connection is invoked by JavaScript running on a malicious site. Exploits are particularly hard to detect when run on Edge. The JavaScript “might” open a downloads dropdown window, but it doesn’t add any items to it. On later browser launches, the window will no longer appear. On Chrome, the download dropdown is more persistent. In either case, less experienced users are likely to consider the behavior the result of a nuisance bug and have no idea their device is compromised. 通过利用浏览器获取 API,该代码会打开一个持续活跃的服务工作线程(Service Worker)。该连接由运行在恶意网站上的 JavaScript 调用。在 Edge 上运行时,这种利用特别难以检测。JavaScript “可能”会打开一个下载下拉窗口,但不会向其中添加任何项目。在后续启动浏览器时,该窗口将不再出现。在 Chrome 上,下载下拉菜单则更为持久。无论哪种情况,经验不足的用户很可能会认为这种行为只是一个小故障,根本不知道自己的设备已被入侵。
In the private bug disclosure thread, a developer said that logs indicate that use of the background fetch feature is extremely limited on Chrome, with on average “~17 completed files per user per day.” “That’s pretty solid confirmation that nothing awful is happening at scale,” the developer wrote. It’s not known how widely used the feature is for browsers other than Chrome. Rebane said she doubts the vulnerability is being actively exploited against other browsers. Nonetheless, the vulnerability poses a risk. Users of Chromium browsers should be suspicious of download dropdowns that appear for no reason. Drilling into the cause and discovering they’re the result of the vulnerability being exploited remains more complicated. 在私下的漏洞披露讨论串中,一名开发人员表示,日志显示后台获取功能在 Chrome 上的使用极其有限,平均“每位用户每天完成约 17 个文件”。“这有力地证实了没有发生大规模的恶性事件,”该开发人员写道。目前尚不清楚该功能在 Chrome 以外的浏览器中被使用的广泛程度。Rebane 表示,她怀疑该漏洞是否正在被针对其他浏览器进行积极利用。尽管如此,该漏洞仍构成风险。Chromium 浏览器的用户应对无故出现的下载下拉菜单保持警惕。深入调查原因并发现它们是漏洞被利用的结果,仍然是一件复杂的事情。
Other browsers
其他浏览器
Rebane confirmed as vulnerable include Brave, Opera, Vivaldi, and Arc. Both Firefox and Safari are unaffected because they don’t support the browser-fetching feature. Rebane 确认受影响的浏览器包括 Brave、Opera、Vivaldi 和 Arc。Firefox 和 Safari 均不受影响,因为它们不支持浏览器获取功能。