The cost of zero day exploit was always raised, especially if they allow an attacker to execute remote code on a host machine. But why pay hundreds of thousands of dollars for a 0-day when a relatively simple drive-by attack doesn’t need one and can achieve much the same result? That interested an Imperva security researcher who published a report about the new drive-by attack using something called the Evil Code Editor. Here’s what you need to know.

ForbesNSA Says Restrict Windows and MacOS, Use Google to Stop AttacksOf Davey Winder

Attacking Google Chrome Users with the Evil Code Editor Exploit

“A remote code execution chain in Google Chrome that allows an attacker to execute code on the host machine can cost anywhere from $250,000 to $500,000,” said Ron Masas, a security researcher at Imperva. in a report dated November 7. With that kind of spending power reserved mostly for spy agencies and state-sponsored attackers, Masas wondered, where does that leave the “middle kid with scripts” who used similar methods years ago? Java drive-by downloads were relatively common in 2008, when Masas began his security career in coding, using small Java applets embedded in web pages. Fast forward to 2022 and Masas began exploring the file system API that allows websites to read and write specific files selected by the user. “With some notable exceptions,” noted Masas, “being what Chrome considers to be system files.”

Affecting all Chromium-based web browsers, Masas said the API bypasses both Windows and macOS security mechanisms, although the report specifically focuses on macOS. Gatekeeper on macOS is a security feature that prevents users from running untrusted software, and macOS has an additional app sandbox that limits app access to system resources and data. “The Chrome browser doesn’t use this sandboxing feature,” Masas said, “which is another reason why the File System Access API can be so dangerous.” If a user interacts with the File System Access API on a website, they’ll be asked to approve write access, get it wrong, and, Masus pointed out, “all previous security boundaries are bypassed.”

So what about the com.apple.quarantine attribute, added by the API, that flags the file as untrustworthy because it’s downloaded from the internet? “One limitation of macOS Gatekeeper,” Masus said, is that “it doesn’t recheck this binary when it’s run by another application, which in our case is Google Chrome itself.”

ForbesWant Windows 10 security? It will be $30, Microsoft saysOf Davey Winder

Bypassing and Exploiting the Google Chrome Blocklist

Although Chrome restricts write access to files via a blocklist, Masus discovered he could bypass this by dragging and dropping a file that apparently wasn’t checked. The TL;DR is that in order to successfully exploit this vulnerability, the attacker must convince a user to grant write access to the file in question. Masus used the Google Chrome Helper to, uh, help with that. Acting as an intermediary for Chrome and installed plugins, the helper process can be created “to handle the required external interactions and the resources required for those actions” when something like a print window command is executed. “That’s why overwriting gives us immediate code execution,” Masus said, and created a proof of concept with a supposed browser AI helper and a fake web-based integrated development environment he called Evil Code Editor.

Google Responds to Chrome Drive-By Disclosure

Masus disclosed the list blocking bypass to Google, which said it was aware of the problem and working on a fix. However, Matus said that since it’s now been more than 10 months since that disclosure, that’s why Imperva chose to release details about the vulnerability now.

I’ve reached out to Google for a statement and will update this article soon. Meanwhile, Masus said that “Google has informed us that it plans to restrict the File System Access API to the Chrome application bundle, which should mitigate the specific attacks discussed in this blog post. These changes are expected to be implemented in Chrome 132.”

ForbesGoogle Warns of New Android and Windows Cyber ​​Attack — 1 Thing Stops ItOf Davey Winder