meta metadata [mini] Microsoft hacks ChromeOS with Audio

[rcmaehl]

Summary

A buffer overflow in ChromeOS's audio handling would have allowed Remote Code Execution on ChromeOS

 

Quotes

Quote

Google has... made it a sport to point out security issues with Windows as it purports to protect its Chrome users..., but a... bug found by Microsoft put the onus back on Google to patch ChromeOS. Microsoft is firing back with a find of its own with the platform misusing strcpy(). ChromeOS cras D-Bus SetPlayerIdentity causes memory corruption. "We discovered the vulnerability could be remotely triggered by manipulating audio metadata. Attackers could have lured users into meeting these conditions, such as by simply playing a new song in a browser or from a paired Bluetooth device" Microsoft tagged it with CVE-2022-2587... with a CVSS score of 9.8 out of 10. Fortunately, this was all done back in April 2022 and has since been patched by Google and its ChromeOS team. In roughly a week.

 

My thoughts

Ah yes, I can see it now. People running one of the 115 Chromebooks models no longer getting updates being pwn'd by a malicious youtube video or web ad. Just playing a video and then all of a sudden your printer starts spitting out a billion copies of an entirely ink soaked black page.

 

Sources

OnMSFT (quote source)

The Register

ChromeOS Bug Report