One of Microsoft’s Windows 10 updates was so bad it broke Google Chrome

News
By published

And other Chromium browsers

(Image credit: Pixabay)

Google has revealed that Microsoft managed to break an important security feature in all Chromium-based web browsers, including Chrome, with its Windows 10 1903 update.

The security feature in question is the Chromium sandbox. The sandbox should allow users to run apps and extensions is a virtual environment separate from your operating system. If the download you’re running in the sandbox contains malicious code, it won’t be able to access or infect your operating system.

It’s a very useful tool, but at some point Microsoft managed to include a “security feature bypass vulnerability” (as Microsoft itself terms it in a security advisory), which means Windows 10 failed to “properly handle token relationships”. 

In English?

Essentially, what this means is that a malicious user could exploit the vulnerability and allow an application with one integrity level execute code at a different integrity level – and escape the Chromium sandbox and run code that could affect the host PC. Basically, exactly the opposite of what the sandbox is designed for.

As Google’s Project Zero team, which found this issue, notes in a blog post, “The sandbox works on the concept of least privilege by using Restricted Tokens” – and if those tokens aren’t handled correctly, your PC can be put at risk.

The whole blog post is worth reading – though it is very technical – as it explains in depth how this vulnerability works.

The fact that it affects Chrome – the most widely-used web browser in the world – is certainly worrying, even if you don’t use the sandbox feature. It shows that Microsoft’s recent problems with Windows 10 updates are affecting other developers' software as well.

It’s not just Chrome that’s been hit either, but any browser that uses the Chromium engine. Embarrassingly, that also now includes the new Microsoft Edge.

Perhaps even more embarrassingly, Microsoft has released a patch to fix the vulnerability – Windows 10 KB4549951 – but it's been discovered that that patch has been causing serious problems for some users.

We've contacted Microsoft for comment, and will update this story when we hear back.

See more Computing News
TOPICS
Matt Hanson
Matt Hanson
Managing Editor, Core Tech

Matt is TechRadar's Managing Editor for Core Tech, looking after computing and mobile technology. Having written for a number of publications such as PC Plus, PC Format, T3 and Linux Format, there's no aspect of technology that Matt isn't passionate about, especially computing and PC gaming. He’s personally reviewed and used most of the laptops in our best laptops guide - and since joining TechRadar in 2014, he's reviewed over 250 laptops and computing accessories personally.

Latest in Browsers
Woman using a Windows computer with Microsoft Edge
Don’t panic – Microsoft’s Edge browser isn’t about to subject you to a flood of unblocked adverts (not yet, anyway)
Google Chrome browser icon
A new split-screen feature is coming to Google Chrome, and it's surprisingly powerful
The Microsoft Edge logo on a black background displayed on a laptop screen.
Microsoft just gave Edge a great new feature to ensure the browser doesn’t slow down the PC, and it’s tempting me to switch from Google Chrome
Google Chrome with Christmas theme in Windows 11
I've used Edge, Firefox, and Opera, and yet after ten years in tech journalism, I still come back to Chrome
Woman using a Windows computer with Microsoft Edge
Microsoft gets rid of ‘Edge uninstall’ advice page after facing criticism over it having nothing to do with removing the app, and just promoting the browser instead
Microsoft Edge
Sorry, you're not getting Microsoft Edge off of your PC, at least according to its new 'uninstall' document
Latest in News
Android 16 logo on a phone
Here's how Android 16 will upgrade the screen unlocking process on your Pixel
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras
Apple watch pair with iphone
The Apple Watch SE 3 is apparently in 'serious jeopardy', and the news isn't much better for the Ultra 3 or Series 11
More about browsers
Woman using a Windows computer with Microsoft Edge

Don’t panic – Microsoft’s Edge browser isn’t about to subject you to a flood of unblocked adverts (not yet, anyway)
Google Chrome browser icon

A new split-screen feature is coming to Google Chrome, and it's surprisingly powerful
1Password tax season hack landing page

Get your passwords secure this tax season— 1Password is offering a 25% discount on its individual plan
See more latest
Most Popular
Apple iPhone 16 Review
New iPhone 17 report lends weight to rumors of major display and camera upgrades, and a pricey Apple foldable
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Sky Glass Gen 2
It's a Glass act: the next generation of Sky Glass TV is now at Currys
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras
Apple watch pair with iphone
The Apple Watch SE 3 is apparently in 'serious jeopardy', and the news isn't much better for the Ultra 3 or Series 11
ClinkCaim laptop
Laptop prototype with detachable AI webcam (but without a normal touchpad) wins award at the 'Oscars' of the design industry
Compal Infinite Laptop
This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
Silicon Motion MonTian 128TB SSD
More 128TB SSDs on the way, but they won't be cheaper: Key maker of NAND flash controllers says 128TB SSDs are shipping
Toshiba HDD Innovation Lab
How to make hard drives faster? Simple, just bunch dozens of them together, Toshiba says